Service abuse: Cisco secure email service with financial request
Detects messages abusing Cisco's secure email service (res.cisco.com) that contain financial topics or invoice requests, with mismatched reply-to domains and undisclosed recipients.
Sublime rule (View on GitHub)
1name: "Service abuse: Cisco secure email service with financial request"
2description: "Detects messages abusing Cisco's secure email service (res.cisco.com) that contain financial topics or invoice requests, with mismatched reply-to domains and undisclosed recipients."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and sender.email.domain.domain == 'res.cisco.com'
8 and any(headers.reply_to, .email.domain.domain != 'res.cisco.com')
9 and (
10 length(recipients.to) == 0
11 or all(recipients.to, .display_name == "Undisclosed recipients")
12 )
13 and (
14 any(ml.nlu_classifier(body.current_thread.text).topics,
15 .name in ("Financial Communications", "Request to View Invoice")
16 )
17 or any(ml.nlu_classifier(subject.base).entities, .name == "financial")
18 )
19
20
21attack_types:
22 - "BEC/Fraud"
23tactics_and_techniques:
24 - "Impersonation: Brand"
25 - "Social engineering"
26 - "Evasion"
27detection_methods:
28 - "Content analysis"
29 - "Header analysis"
30 - "Natural Language Understanding"
31 - "Sender analysis"
32id: "43a6daa8-e401-5b49-a6a2-ee9ed7e379fd"