Xero infrastructure abuse
Identifies messages that resemble credential theft, originating from Xero. Xero infrastrcture abuse has been observed recently to send phishing attacks.
Sublime rule (View on GitHub)
1name: "Xero infrastructure abuse"
2description: "Identifies messages that resemble credential theft, originating from Xero. Xero infrastrcture abuse has been observed recently to send phishing attacks."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.email == "messaging-service@post.xero.com"
8 and
9 // there are external links (not org or xero domains)
10 length(filter(body.links,
11 .href_url.domain.domain not in $org_domains
12 and .href_url.domain.root_domain not in ("xero.com", )
13 )
14 ) > 0
15 and (
16 any(ml.nlu_classifier(body.current_thread.text).intents,
17 .name == "cred_theft" and .confidence == "high"
18 )
19 // subject match when cred_theft doesn't match
20 // high confidence observed subject intros in the format of "Urgent Thing: ..."
21 or regex.icontains(subject.subject,
22 '^(?:(?:Final|Last)?\s*Warning|(?:Final|Last|Legal|Critical|Content Violation)?\s*(?:Alert|Noti(?:ce|fication))|Appeal Required|Time.Sensitive|Critical.Alert|Important|Copyright Issue)\s*:\s*'
23 )
24 or any(ml.logo_detect(beta.message_screenshot()).brands,
25 .name in ("Facebook", "Meta", "Instagram")
26 and .confidence in ("medium", "high")
27 )
28 // any of the links are for newly registered domains
29 or any(filter(body.links,
30 .href_url.domain.domain not in $org_domains
31 and .href_url.domain.root_domain not in ("xero.com")
32 ),
33 network.whois(.href_url.domain).days_old < 30
34 )
35 or (
36 any(beta.ml_topic(body.current_thread.text).topics,
37 .name in ("B2B Cold Outreach", "Professional and Career Development") and .confidence != "low"
38 )
39 )
40 // sender display name or subject contains confusables
41 or (
42 sender.display_name != strings.replace_confusables(sender.display_name)
43 or subject.subject != strings.replace_confusables(subject.subject)
44 )
45 )
46 and (
47 ( // sender domain matches no body domains
48 length(body.links) > 0
49 and all(body.links,
50 .href_url.domain.root_domain not in ("xero.com", )
51 or .href_url.domain.root_domain is null
52 )
53 )
54 // link contains email address
55 or any(recipients.to,
56 .email.domain.valid
57 and any(body.links,
58 strings.icontains(.href_url.url, ..email.email)
59 or any(beta.scan_base64(.href_url.url,
60 format="url",
61 ignore_padding=true
62 ),
63 strings.icontains(., ...email.email)
64 )
65 or any(beta.scan_base64(.href_url.fragment,
66 ignore_padding=true
67 ),
68 strings.icontains(., ...email.email)
69 )
70 // cloudflare turnstile or phishing warning page
71 or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
72 "cloudflare"
73 )
74 )
75 )
76 or regex.icontains(subject.subject,
77 "termination.*notice"
78 )
79 or any(ml.nlu_classifier(body.current_thread.text).entities,
80 .name == "sender" and regex.icontains(.text, 'Recruitment|staffing|\bhr\b')
81 )
82 )
83attack_types:
84 - "Credential Phishing"
85tactics_and_techniques:
86 - "Evasion"
87 - "Social engineering"
88detection_methods:
89 - "Content analysis"
90 - "Header analysis"
91 - "Natural Language Understanding"
92 - "URL analysis"
93id: "918c4bd3-987f-5f69-bb46-9465a0b87837"