Salesforce infrastructure abuse

Identifies messages that resemble credential theft, originating from Salesforce. Salesforce infrastrcture abuse has been observed recently to send phishing attacks.

Sublime rule (View on GitHub)

  1name: "Salesforce infrastructure abuse"
  2description: "Identifies messages that resemble credential theft, originating from Salesforce. Salesforce infrastrcture abuse has been observed recently to send phishing attacks."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  
  8  // we look at the return-path because many times in the abuse
  9  // we've seen, the From is a custom domain
 10  and headers.return_path.domain.root_domain == "salesforce.com"
 11  and length(attachments) == 0
 12  // there are external links (not org or SF domains)
 13  and length(filter(body.links,
 14                    .href_url.domain.domain not in $org_domains
 15                    and .href_url.domain.root_domain not in (
 16                      "salesforce.com",
 17                      "force.com",
 18                      "site.com", // salesforce CRM
 19                      "agentforce.com"
 20                    )
 21             )
 22  ) > 0
 23  and (
 24    (
 25      any(ml.nlu_classifier(body.current_thread.text).intents,
 26          .name == "cred_theft" and .confidence == "high"
 27      )
 28      and ml.nlu_classifier(body.current_thread.text).language == "english"
 29    )
 30    // subject match when cred_theft doesn't match
 31    // high confidence observed subject intros in the format of "Urgent Thing: ..."
 32    or regex.icontains(subject.subject,
 33                       '^(?:(?:Final|Last)?\s*Warning|(?:Final|Last|Legal|Critical|Content Violation)?\s*(?:Alert|Noti(?:ce|fication))|Appeal Required|Time.Sensitive|Critical.Alert|Important|Copyright Issue)\s*:\s*'
 34    )
 35    or any(ml.logo_detect(file.message_screenshot()).brands,
 36           .name in ("Facebook", "Meta", "Instagram", "Threads")
 37           and .confidence in ("medium", "high")
 38    )
 39    // any of the links are for newly registered domains
 40    or any(filter(body.links,
 41                  .href_url.domain.domain not in $org_domains
 42                  and .href_url.domain.root_domain not in (
 43                    "salesforce.com",
 44                    "force.com",
 45                    "site.com", // salesforce CRM
 46                    "agentforce.com"
 47                  )
 48           ),
 49           network.whois(.href_url.domain).days_old < 30
 50    )
 51  )
 52  and 1 of (
 53    ( // sender domain matches no body domains
 54      length(body.links) > 0
 55      and all(body.links,
 56              (
 57                .href_url.domain.root_domain != sender.email.domain.root_domain
 58                and .href_url.domain.root_domain not in (
 59                  "salesforce.com",
 60                  "force.com",
 61                  "site.com",
 62                  "agentforce.com"
 63                )
 64              )
 65              or .href_url.domain.root_domain is null
 66      )
 67    ),
 68    any(recipients.to,
 69        .email.domain.valid
 70        and any(body.links,
 71                strings.icontains(.href_url.url, ..email.email)
 72                or any(beta.scan_base64(.href_url.url,
 73                                        format="url",
 74                                        ignore_padding=true
 75                       ),
 76                       strings.icontains(., ...email.email)
 77                )
 78                or any(beta.scan_base64(.href_url.fragment, ignore_padding=true),
 79                       strings.icontains(., ...email.email)
 80                )
 81                // cloudflare turnstile or phishing warning page
 82                or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
 83                                     "cloudflare"
 84                )
 85        )
 86    ),
 87    regex.icontains(subject.subject,
 88                    "termination.*notice",
 89                    "38417",
 90                    ":completed",
 91                    "[il1]{2}mit.*ma[il1]{2} ?bo?x",
 92                    "[il][il][il]egai[ -]",
 93                    "[li][li][li]ega[li] attempt",
 94                    "[ng]-?[io]n .*block",
 95                    "[ng]-?[io]n .*cancel",
 96                    "[ng]-?[io]n .*deactiv",
 97                    "[ng]-?[io]n .*disabl",
 98                    "action.*required",
 99                    "abandon.*package",
100                    "about.your.account",
101                    "acc(ou)?n?t (is )?on ho[li]d",
102                    "acc(ou)?n?t.*terminat",
103                    "acc(oun)?t.*[il1]{2}mitation",
104                    "access.*limitation",
105                    "account (will be )?block",
106                    "account.*de-?activat",
107                    "account.*locked",
108                    "account.*restrict",
109                    "account.*re-verification",
110                    "account.*security",
111                    "account.*suspension",
112                    "account.has.been",
113                    "account.has.expired",
114                    "account.will.be.blocked",
115                    "account v[il]o[li]at",
116                    "activity.*acc(oun)?t",
117                    "almost.full",
118                    "app[li]e.[il]d",
119                    "appeal required",
120                    "authenticate.*account",
121                    "been.*suspend",
122                    "clos.*of.*account.*processed",
123                    "confirm.your.account",
124                    "copyright (?:restriction|infringment)",
125                    "courier.*able",
126                    "crediential.*notif",
127                    "Critical Alert",
128                    "deactivation.*in.*progress",
129                    "delivery.*attempt.*failed",
130                    "document.received",
131                    "documented.*shared.*with.*you",
132                    "dropbox.*document",
133                    "e-?ma[il1]+ .{010}suspen",
134                    "e-?ma[il1]{1} user",
135                    "e-?ma[il1]{2} acc",
136                    "e-?ma[il1]{2}.*up.?grade",
137                    "e.?ma[il1]{2}.*server",
138                    "e.?ma[il1]{2}.*suspend",
139                    "email.update",
140                    "faxed you",
141                    "final notice",
142                    "fraud(ulent)?.*charge",
143                    "from.helpdesk",
144                    "fu[il1]{2}.*ma[il1]+[ -]?box",
145                    "has.been.*suspended",
146                    "has.been.limited",
147                    "have.locked",
148                    "he[li]p ?desk upgrade",
149                    "heipdesk",
150                    "i[il]iega[il]",
151                    "ii[il]ega[il]",
152                    "immediate action",
153                    "incoming e?mail",
154                    "incoming.*fax",
155                    "lock.*security",
156                    "ma[il1]{1}[ -]?box.*quo",
157                    "ma[il1]{2}[ -]?box.*fu[il1]",
158                    "ma[il1]{2}box.*[il1]{2}mit",
159                    "ma[il1]{2}box stor",
160                    "mail on.?hold",
161                    "mail.*box.*migration",
162                    "mail.*de-?activat",
163                    "mail.update.required",
164                    "mails.*pending",
165                    "messages.*pending",
166                    "missed.*shipping.*notification",
167                    "missed.shipment.notification",
168                    "must.update.your.account",
169                    "new [sl][io]g?[nig][ -]?in from",
170                    "new voice ?-?mail",
171                    "notifications.*pending",
172                    "office.*3.*6.*5.*suspend",
173                    "office365",
174                    "on google docs with you",
175                    "online doc",
176                    "password.*compromised",
177                    "periodic maintenance",
178                    "potential(ly)? unauthorized",
179                    "refund not approved",
180                    "restrictions applied",
181                    "report",
182                    "revised.*policy",
183                    "scam",
184                    "scanned.?invoice",
185                    "secured?.update",
186                    "security breach",
187                    "securlty",
188                    "signed.*delivery",
189                    "social media",
190                    "status of your .{314}? ?delivery",
191                    "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
192                    "suspicious.*sign.*[io]n",
193                    "suspicious.activit",
194                    "temporar(il)?y deactivate",
195                    "temporar[il1]{2}y disab[li]ed",
196                    "temporarily.*lock",
197                    "time.sensitive",
198                    "un-?usua[li].activity",
199                    "unable.*deliver",
200                    "unauthorized.*activit",
201                    "unauthorized.device",
202                    "unauthorized.use",
203                    "undelivered message",
204                    "unread.*doc",
205                    "unusual.activity",
206                    "upgrade.*account",
207                    "upgrade.notice",
208                    "urgent message",
209                    "urgent.verification",
210                    "v[il1]o[li1]at[il1]on security",
211                    "va[il1]{1}date.*ma[il1]{2}[ -]?box",
212                    "verification ?-?require",
213                    "verification( )?-?need",
214                    "verify.your?.account",
215                    "web ?-?ma[il1]{2}",
216                    "web[ -]?ma[il1]{2}",
217                    "will.be.suspended",
218                    "your (customer )?account .as",
219                    "your.office.365",
220                    "your.online.access",
221                    "Critical.Notice",
222                    "Restore.Access",
223                    // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt
224                    "account has been limited",
225                    "action required",
226                    "almost full",
227                    "apd notifi cation",
228                    "are you at your desk",
229                    "are you available",
230                    "attached file to docusign",
231                    "banking is temporarily unavailable",
232                    "bankofamerica",
233                    "closing statement invoice",
234                    "completed: docusign",
235                    "de-activation of",
236                    "delivery attempt",
237                    "delivery stopped for shipment",
238                    "detected suspicious",
239                    "detected suspicious actvity",
240                    "docu sign",
241                    "document for you",
242                    "document has been sent to you via docusign",
243                    "document is ready for signature",
244                    "docusign",
245                    "encrypted message",
246                    "failed delivery",
247                    "fedex tracking",
248                    "file was shared",
249                    "freefax",
250                    "fwd: due invoice paid",
251                    "has shared",
252                    "inbox is full",
253                    "invitation to comment",
254                    "invitation to edit",
255                    "invoice due",
256                    "left you a message",
257                    "message from",
258                    "new message",
259                    "new voicemail",
260                    "on desk",
261                    "out of space",
262                    "password reset",
263                    "payment status",
264                    "quick reply",
265                    "re: w-2",
266                    "required",
267                    "required: completed docusign",
268                    "remittance",
269                    "ringcentral",
270                    "scanned image",
271                    "secured files",
272                    "secured pdf",
273                    "security alert",
274                    "new sign-in",
275                    "new sign in",
276                    "sign-in attempt",
277                    "sign in attempt",
278                    "staff review",
279                    "suspicious activity",
280                    "unrecognized login attempt",
281                    "upgrade immediately",
282                    "urgent",
283                    "wants to share",
284                    "w2",
285                    "you have notifications pending",
286                    "your account",
287                    'your (?:\w+\s+){0,1}\s*account',
288                    "your amazon order",
289                    "your document settlement",
290                    "your order with amazon",
291                    "your password has been compromised",
292    ),
293    any($suspicious_subjects, strings.icontains(subject.subject, .))
294  )
295  and (
296    // if the From is a custom domain, check that it's an unknown sender
297    // otherwise, it should be from salesforce
298    (
299      sender.email.domain.domain == "salesforce.com"
300      and any(headers.hops,
301              any(.fields,
302                  .name == "X-SFDC-EmailCategory"
303                  and .value in (
304                    "apiMassMail",
305                    "networksNewUser",
306                    "Not Specified"
307                  )
308              )
309      )
310      // negate "meta" emails from the mentioned org itself
311      // for example, subject: "a sandbox has been deleted for org ID, a1b2c3"
312      // the org ID will appear in the X-SFDC-LK header
313      and not any(headers.hops,
314                  any(.fields,
315                      .name == "X-SFDC-LK"
316                      and strings.ends_with(subject.subject, .value)
317                  )
318      )
319    )
320    or (
321      (
322        (
323          profile.by_sender().prevalence in ("new", "outlier")
324          and not profile.by_sender().solicited
325        )
326        or (
327          profile.by_sender().any_messages_malicious_or_spam
328          and not profile.by_sender().any_messages_benign
329        )
330      )
331  
332      // negate highly trusted sender domains unless they fail DMARC authentication
333      and (
334        (
335          sender.email.domain.root_domain in $high_trust_sender_root_domains
336          and not headers.auth_summary.dmarc.pass
337        )
338        or sender.email.domain.root_domain not in $high_trust_sender_root_domains
339      )
340    )
341  )  
342attack_types:
343  - "Credential Phishing"
344tactics_and_techniques:
345  - "Evasion"
346  - "Social engineering"
347detection_methods:
348  - "Content analysis"
349  - "Header analysis"
350  - "Natural Language Understanding"
351  - "URL analysis"
352id: "78a77c70-4008-545a-812f-bde793b72c29"
to-top