Fake shipping notification with suspicious language

May 3, 2024 ·

Body contains keywords for shipping, contains suspicious language, and addresses the recipient by their email, which is an indicator of phishing and/or spam.

Sublime rule (View on GitHub)

 1name: "Fake shipping notification with suspicious language"
 2description: |
 3    Body contains keywords for shipping, contains suspicious language, and addresses the recipient by their email, which is an indicator of phishing and/or spam.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  // contains at least 1 link
 9  and length(body.links) > 0
10  and 3 of (
11    strings.ilike(body.current_thread.text, "*(1)*"),
12    strings.ilike(body.current_thread.text, "*waiting for delivery*"),
13    strings.ilike(body.current_thread.text, "*delivery missed*"),
14    strings.ilike(body.current_thread.text, "*tracking number*")
15  )
16
17  // urgent/time-sensitive language
18  and any(ml.nlu_classifier(body.current_thread.text).entities,
19          .name == "urgency"
20  )
21
22  // email is not personalized with recipients name
23  and any(recipients.to,
24          any(ml.nlu_classifier(body.current_thread.text).entities,
25              .text == ..email.local_part
26          )
27  )  
28attack_types:
29  - "Credential Phishing"
30  - "Spam"
31tactics_and_techniques:
32  - "Evasion"
33detection_methods:
34  - "Content analysis"
35  - "Natural Language Understanding"
36id: "67748b0a-ac4c-525c-8393-7ed7b1b51f29"