Service abuse: Cisco secure email service with financial request

Detects messages abusing Cisco's secure email service (res.cisco.com) that contain financial topics or invoice requests, with mismatched reply-to domains and undisclosed recipients.

Sublime rule (View on GitHub)

 1name: "Service abuse: Cisco secure email service with financial request"
 2description: "Detects messages abusing Cisco's secure email service (res.cisco.com) that contain financial topics or invoice requests, with mismatched reply-to domains and undisclosed recipients."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and sender.email.domain.domain == 'res.cisco.com'
 8  and any(headers.reply_to, .email.domain.domain != 'res.cisco.com')
 9  and (
10    length(recipients.to) == 0
11    or all(recipients.to, .display_name == "Undisclosed recipients")
12  )
13  and (
14    any(ml.nlu_classifier(body.current_thread.text).topics,
15        .name in ("Financial Communications", "Request to View Invoice")
16    )
17    or any(ml.nlu_classifier(subject.base).entities, .name == "financial")
18  )
19    
20
21attack_types:
22  - "BEC/Fraud"
23tactics_and_techniques:
24  - "Impersonation: Brand"
25  - "Social engineering"
26  - "Evasion"
27detection_methods:
28  - "Content analysis"
29  - "Header analysis"
30  - "Natural Language Understanding"
31  - "Sender analysis"
32id: "43a6daa8-e401-5b49-a6a2-ee9ed7e379fd"
to-top