Salesforce Infrastructure Abuse

Identifies messages that resemble credential theft, originating from Salesforce. Salesforce infrastrcture abuse has been observed recently to send phishing attacks.

Sublime rule (View on GitHub)

  1name: "Salesforce Infrastructure Abuse"
  2description: "Identifies messages that resemble credential theft, originating from Salesforce. Salesforce infrastrcture abuse has been observed recently to send phishing attacks."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7
  8  // we look at the return-path because many times in the abuse
  9  // we've seen, the From is a custom domain
 10  and headers.return_path.domain.root_domain == "salesforce.com"
 11
 12  // legit salesforce email addresses that haven't been observed to be abused
 13  and sender.email.email not in ("support@salesforce.com")
 14  and length(attachments) == 0
 15  and length(body.links) > 0
 16  and any(ml.nlu_classifier(body.current_thread.text).intents,
 17          .name == "cred_theft" and .confidence == "high"
 18  )
 19  and 1 of (
 20    ( // sender domain matches no body domains
 21      length(body.links) > 0
 22      and all(body.links,
 23              .href_url.domain.root_domain != sender.email.domain.root_domain
 24      )
 25    ),
 26    regex.icontains(subject.subject,
 27                    "termination.*notice",
 28                    "38417",
 29                    ":completed",
 30                    "[il1]{2}mit.*ma[il1]{2} ?bo?x",
 31                    "[il][il][il]egai[ -]",
 32                    "[li][li][li]ega[li] attempt",
 33                    "[ng]-?[io]n .*block",
 34                    "[ng]-?[io]n .*cancel",
 35                    "[ng]-?[io]n .*deactiv",
 36                    "[ng]-?[io]n .*disabl",
 37                    "action.*required",
 38                    "abandon.*package",
 39                    "about.your.account",
 40                    "acc(ou)?n?t (is )?on ho[li]d",
 41                    "acc(ou)?n?t.*terminat",
 42                    "acc(oun)?t.*[il1]{2}mitation",
 43                    "access.*limitation",
 44                    "account (will be )?block",
 45                    "account.*de-?activat",
 46                    "account.*locked",
 47                    "account.*re-verification",
 48                    "account.*security",
 49                    "account.*suspension",
 50                    "account.has.been",
 51                    "account.has.expired",
 52                    "account.will.be.blocked",
 53                    "account v[il]o[li]at",
 54                    "activity.*acc(oun)?t",
 55                    "almost.full",
 56                    "app[li]e.[il]d",
 57                    "authenticate.*account",
 58                    "been.*suspend",
 59                    "clos.*of.*account.*processed",
 60                    "confirm.your.account",
 61                    "courier.*able",
 62                    "deactivation.*in.*progress",
 63                    "delivery.*attempt.*failed",
 64                    "document.received",
 65                    "documented.*shared.*with.*you",
 66                    "dropbox.*document",
 67                    "e-?ma[il1]+ .{010}suspen",
 68                    "e-?ma[il1]{1} user",
 69                    "e-?ma[il1]{2} acc",
 70                    "e-?ma[il1]{2}.*up.?grade",
 71                    "e.?ma[il1]{2}.*server",
 72                    "e.?ma[il1]{2}.*suspend",
 73                    "email.update",
 74                    "faxed you",
 75                    "fraud(ulent)?.*charge",
 76                    "from.helpdesk",
 77                    "fu[il1]{2}.*ma[il1]+[ -]?box",
 78                    "has.been.*suspended",
 79                    "has.been.limited",
 80                    "have.locked",
 81                    "he[li]p ?desk upgrade",
 82                    "heipdesk",
 83                    "i[il]iega[il]",
 84                    "ii[il]ega[il]",
 85                    "incoming e?mail",
 86                    "incoming.*fax",
 87                    "lock.*security",
 88                    "ma[il1]{1}[ -]?box.*quo",
 89                    "ma[il1]{2}[ -]?box.*fu[il1]",
 90                    "ma[il1]{2}box.*[il1]{2}mit",
 91                    "ma[il1]{2}box stor",
 92                    "mail on.?hold",
 93                    "mail.*box.*migration",
 94                    "mail.*de-?activat",
 95                    "mail.update.required",
 96                    "mails.*pending",
 97                    "messages.*pending",
 98                    "missed.*shipping.*notification",
 99                    "missed.shipment.notification",
100                    "must.update.your.account",
101                    "new [sl][io]g?[nig][ -]?in from",
102                    "new voice ?-?mail",
103                    "notifications.*pending",
104                    "office.*3.*6.*5.*suspend",
105                    "office365",
106                    "on google docs with you",
107                    "online doc",
108                    "password.*compromised",
109                    "periodic maintenance",
110                    "potential(ly)? unauthorized",
111                    "refund not approved",
112                    "report",
113                    "revised.*policy",
114                    "scam",
115                    "scanned.?invoice",
116                    "secured?.update",
117                    "security breach",
118                    "securlty",
119                    "signed.*delivery",
120                    "status of your .{314}? ?delivery",
121                    "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
122                    "suspicious.*sign.*[io]n",
123                    "suspicious.activit",
124                    "temporar(il)?y deactivate",
125                    "temporar[il1]{2}y disab[li]ed",
126                    "temporarily.*lock",
127                    "un-?usua[li].activity",
128                    "unable.*deliver",
129                    "unauthorized.*activit",
130                    "unauthorized.device",
131                    "undelivered message",
132                    "unread.*doc",
133                    "unusual.activity",
134                    "upgrade.*account",
135                    "upgrade.notice",
136                    "urgent message",
137                    "urgent.verification",
138                    "v[il1]o[li1]at[il1]on security",
139                    "va[il1]{1}date.*ma[il1]{2}[ -]?box",
140                    "verification ?-?require",
141                    "verification( )?-?need",
142                    "verify.your?.account",
143                    "web ?-?ma[il1]{2}",
144                    "web[ -]?ma[il1]{2}",
145                    "will.be.suspended",
146                    "your (customer )?account .as",
147                    "your.office.365",
148                    "your.online.access",
149                    // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt
150                    "account has been limited",
151                    "action required",
152                    "almost full",
153                    "apd notifi cation",
154                    "are you at your desk",
155                    "are you available",
156                    "attached file to docusign",
157                    "banking is temporarily unavailable",
158                    "bankofamerica",
159                    "closing statement invoice",
160                    "completed: docusign",
161                    "de-activation of",
162                    "delivery attempt",
163                    "delivery stopped for shipment",
164                    "detected suspicious",
165                    "detected suspicious actvity",
166                    "docu sign",
167                    "document for you",
168                    "document has been sent to you via docusign",
169                    "document is ready for signature",
170                    "docusign",
171                    "encrypted message",
172                    "failed delivery",
173                    "fedex tracking",
174                    "file was shared",
175                    "freefax",
176                    "fwd: due invoice paid",
177                    "has shared",
178                    "inbox is full",
179                    "invitation to comment",
180                    "invitation to edit",
181                    "invoice due",
182                    "left you a message",
183                    "message from",
184                    "new message",
185                    "new voicemail",
186                    "on desk",
187                    "out of space",
188                    "password reset",
189                    "payment status",
190                    "quick reply",
191                    "re: w-2",
192                    "required",
193                    "required: completed docusign",
194                    "remittance",
195                    "ringcentral",
196                    "scanned image",
197                    "secured files",
198                    "secured pdf",
199                    "security alert",
200                    "new sign-in",
201                    "new sign in",
202                    "sign-in attempt",
203                    "sign in attempt",
204                    "staff review",
205                    "suspicious activity",
206                    "unrecognized login attempt",
207                    "upgrade immediately",
208                    "urgent",
209                    "wants to share",
210                    "w2",
211                    "you have notifications pending",
212                    "your account",
213                    "your amazon order",
214                    "your document settlement",
215                    "your order with amazon",
216                    "your password has been compromised",
217    ),
218    any($suspicious_subjects, strings.icontains(subject.subject, .))
219  )
220  and (
221    // if the From is a custom domain, check that it's an unknown sender
222    // otherwise, it should be from salesforce
223    (
224      sender.email.domain.domain == "salesforce.com"
225      and any(headers.hops,
226              any(.fields,
227                  .name == "X-SFDC-EmailCategory" and .value == "apiMassMail"
228              )
229      )
230    )
231    or (
232      (
233        (
234          profile.by_sender().prevalence in ("new", "outlier")
235          and not profile.by_sender().solicited
236        )
237        or (
238          profile.by_sender().any_messages_malicious_or_spam
239          and not profile.by_sender().any_false_positives
240        )
241      )
242      // negate highly trusted sender domains unless they fail DMARC authentication
243      and (
244        (
245          sender.email.domain.root_domain in $high_trust_sender_root_domains
246          and (
247            any(distinct(headers.hops, .authentication_results.dmarc is not null),
248                strings.ilike(.authentication_results.dmarc, "*fail")
249            )
250          )
251        )
252        or sender.email.domain.root_domain not in $high_trust_sender_root_domains
253      )
254    )
255  )  
256attack_types:
257  - "Credential Phishing"
258tactics_and_techniques:
259  - "Evasion"
260  - "Social engineering"
261detection_methods:
262  - "Content analysis"
263  - "Header analysis"
264  - "Natural Language Understanding"
265  - "URL analysis"
266id: "78a77c70-4008-545a-812f-bde793b72c29"
to-top