Xero infrastructure abuse

 1name: "Xero infrastructure abuse"
 2description: "Identifies messages that resemble credential theft, originating from Xero. Xero infrastrcture abuse has been observed recently to send phishing attacks."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == "messaging-service@post.xero.com"
 8  and 
 9  // there are external links (not org or xero domains)
10  length(filter(body.links,
11                .href_url.domain.domain not in $org_domains
12                and .href_url.domain.root_domain not in ("xero.com", )
13         )
14  ) > 0
15  and (
16    any(ml.nlu_classifier(body.current_thread.text).intents,
17        .name == "cred_theft" and .confidence == "high"
18    )
19    // subject match when cred_theft doesn't match
20    // high confidence observed subject intros in the format of "Urgent Thing: ..."
21    or regex.icontains(subject.subject,
22                       '^(?:(?:Final|Last)?\s*Warning|(?:Final|Last|Legal|Critical|Content Violation)?\s*(?:Alert|Noti(?:ce|fication))|Appeal Required|Time.Sensitive|Critical.Alert|Important|Copyright Issue)\s*:\s*'
23    )
24    or any(ml.logo_detect(file.message_screenshot()).brands,
25           .name in ("Facebook", "Meta", "Instagram")
26           and .confidence in ("medium", "high")
27    )
28    // any of the links are for newly registered domains
29    or any(filter(body.links,
30                  .href_url.domain.domain not in $org_domains
31                  and .href_url.domain.root_domain not in ("xero.com")
32           ),
33           network.whois(.href_url.domain).days_old < 30
34    )
35    or (
36      any(beta.ml_topic(body.current_thread.text).topics,
37          .name in ("B2B Cold Outreach", "Professional and Career Development") and .confidence != "low"
38      )
39    )
40    // sender display name or subject contains confusables
41    or (
42      sender.display_name != strings.replace_confusables(sender.display_name)
43      or subject.subject != strings.replace_confusables(subject.subject)
44    )
45  )
46  and (
47    ( // sender domain matches no body domains
48      length(body.links) > 0
49      and all(body.links,
50              .href_url.domain.root_domain not in ("xero.com", )
51              or .href_url.domain.root_domain is null
52      )
53    )
54    // link contains email address
55    or any(recipients.to,
56           .email.domain.valid
57           and any(body.links,
58                   strings.icontains(.href_url.url, ..email.email)
59                   or any(beta.scan_base64(.href_url.url,
60                                           format="url",
61                                           ignore_padding=true
62                          ),
63                          strings.icontains(., ...email.email)
64                   )
65                   or any(beta.scan_base64(.href_url.fragment,
66                                           ignore_padding=true
67                          ),
68                          strings.icontains(., ...email.email)
69                   )
70                   // cloudflare turnstile or phishing warning page
71                   or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
72                                        "cloudflare"
73                   )
74           )
75    )
76    or regex.icontains(subject.subject,
77                       "termination.*notice"
78    )
79    or any(ml.nlu_classifier(body.current_thread.text).entities,
80         .name == "sender" and regex.icontains(.text, 'Recruitment|staffing|\bhr\b')
81    )
82  )  
83attack_types:
84  - "Credential Phishing"
85tactics_and_techniques:
86  - "Evasion"
87  - "Social engineering"
88detection_methods:
89  - "Content analysis"
90  - "Header analysis"
91  - "Natural Language Understanding"
92  - "URL analysis"
93id: "918c4bd3-987f-5f69-bb46-9465a0b87837"