Xero Infrastructure Abuse
Identifies messages that resemble credential theft, originating from Xero. Xero infrastrcture abuse has been observed recently to send phishing attacks.
Sublime rule (View on GitHub)
1name: "Xero Infrastructure Abuse"
2description: "Identifies messages that resemble credential theft, originating from Xero. Xero infrastrcture abuse has been observed recently to send phishing attacks."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.email == "messaging-service@post.xero.com"
8 and
9 // there are external links (not org or xero domains)
10 length(filter(body.links,
11 .href_url.domain.domain not in $org_domains
12 and .href_url.domain.root_domain not in ("xero.com", )
13 )
14 ) > 0
15 and (
16 any(ml.nlu_classifier(body.current_thread.text).intents,
17 .name == "cred_theft" and .confidence == "high"
18 )
19 // subject match when cred_theft doesn't match
20 // high confidence observed subject intros in the format of "Urgent Thing: ..."
21 or regex.icontains(subject.subject,
22 '^(?:(?:Final|Last)?\s*Warning|(?:Final|Last|Legal|Critical|Content Violation)?\s*(?:Alert|Noti(?:ce|fication))|Appeal Required|Time.Sensitive|Critical.Alert|Important|Copyright Issue)\s*:\s*'
23 )
24 or any(ml.logo_detect(beta.message_screenshot()).brands,
25 .name in ("Facebook", "Meta", "Instagram")
26 and .confidence in ("medium", "high")
27 )
28 // any of the links are for newly registered domains
29 or any(filter(body.links,
30 .href_url.domain.domain not in $org_domains
31 and .href_url.domain.root_domain not in ("xero.com")
32 ),
33 network.whois(.href_url.domain).days_old < 30
34 )
35 or (
36 any(beta.ml_topic(body.current_thread.text).topics,
37 .name == "Professional and Career Development" and .confidence != "low"
38 )
39 )
40 )
41 and (
42 ( // sender domain matches no body domains
43 length(body.links) > 0
44 and all(body.links,
45 .href_url.domain.root_domain not in ("xero.com", )
46 or .href_url.domain.root_domain is null
47 )
48 )
49 // link contains email address
50 or any(recipients.to,
51 .email.domain.valid
52 and any(body.links,
53 strings.icontains(.href_url.url, ..email.email)
54 or any(beta.scan_base64(.href_url.url,
55 format="url",
56 ignore_padding=true
57 ),
58 strings.icontains(., ...email.email)
59 )
60 or any(beta.scan_base64(.href_url.fragment,
61 ignore_padding=true
62 ),
63 strings.icontains(., ...email.email)
64 )
65 // cloudflare turnstile or phishing warning page
66 or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
67 "cloudflare"
68 )
69 )
70 )
71 or regex.icontains(subject.subject,
72 "termination.*notice",
73 "38417",
74 ":completed",
75 "[il1]{2}mit.*ma[il1]{2} ?bo?x",
76 "[il][il][il]egai[ -]",
77 "[li][li][li]ega[li] attempt",
78 "[ng]-?[io]n .*block",
79 "[ng]-?[io]n .*cancel",
80 "[ng]-?[io]n .*deactiv",
81 "[ng]-?[io]n .*disabl",
82 "action.*required",
83 "abandon.*package",
84 "about.your.account",
85 "acc(ou)?n?t (is )?on ho[li]d",
86 "acc(ou)?n?t.*terminat",
87 "acc(oun)?t.*[il1]{2}mitation",
88 "access.*limitation",
89 "account (will be )?block",
90 "account.*de-?activat",
91 "account.*locked",
92 "account.*restrict",
93 "account.*re-verification",
94 "account.*security",
95 "account.*suspension",
96 "account.has.been",
97 "account.has.expired",
98 "account.will.be.blocked",
99 "account v[il]o[li]at",
100 "activity.*acc(oun)?t",
101 "almost.full",
102 "app[li]e.[il]d",
103 "appeal required",
104 "authenticate.*account",
105 "been.*suspend",
106 "clos.*of.*account.*processed",
107 "confirm.your.account",
108 "copyright (?:restriction|infringment)",
109 "courier.*able",
110 "crediential.*notif",
111 "Critical Alert",
112 "deactivation.*in.*progress",
113 "delivery.*attempt.*failed",
114 "document.received",
115 "documented.*shared.*with.*you",
116 "dropbox.*document",
117 "e-?ma[il1]+ .{010}suspen",
118 "e-?ma[il1]{1} user",
119 "e-?ma[il1]{2} acc",
120 "e-?ma[il1]{2}.*up.?grade",
121 "e.?ma[il1]{2}.*server",
122 "e.?ma[il1]{2}.*suspend",
123 "email.update",
124 "faxed you",
125 "final notice",
126 "fraud(ulent)?.*charge",
127 "from.helpdesk",
128 "fu[il1]{2}.*ma[il1]+[ -]?box",
129 "has.been.*suspended",
130 "has.been.limited",
131 "have.locked",
132 "he[li]p ?desk upgrade",
133 "heipdesk",
134 "i[il]iega[il]",
135 "ii[il]ega[il]",
136 "immediate action",
137 "incoming e?mail",
138 "incoming.*fax",
139 "lock.*security",
140 "ma[il1]{1}[ -]?box.*quo",
141 "ma[il1]{2}[ -]?box.*fu[il1]",
142 "ma[il1]{2}box.*[il1]{2}mit",
143 "ma[il1]{2}box stor",
144 "mail on.?hold",
145 "mail.*box.*migration",
146 "mail.*de-?activat",
147 "mail.update.required",
148 "mails.*pending",
149 "messages.*pending",
150 "missed.*shipping.*notification",
151 "missed.shipment.notification",
152 "must.update.your.account",
153 "new [sl][io]g?[nig][ -]?in from",
154 "new voice ?-?mail",
155 "notifications.*pending",
156 "office.*3.*6.*5.*suspend",
157 "office365",
158 "on google docs with you",
159 "online doc",
160 "password.*compromised",
161 "periodic maintenance",
162 "potential(ly)? unauthorized",
163 "refund not approved",
164 "restrictions applied",
165 "report",
166 "revised.*policy",
167 "scam",
168 "scanned.?invoice",
169 "secured?.update",
170 "security breach",
171 "securlty",
172 "signed.*delivery",
173 "social media",
174 "status of your .{314}? ?delivery",
175 "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
176 "suspicious.*sign.*[io]n",
177 "suspicious.activit",
178 "temporar(il)?y deactivate",
179 "temporar[il1]{2}y disab[li]ed",
180 "temporarily.*lock",
181 "time.sensitive",
182 "un-?usua[li].activity",
183 "unable.*deliver",
184 "unauthorized.*activit",
185 "unauthorized.device",
186 "unauthorized.use",
187 "undelivered message",
188 "unread.*doc",
189 "unusual.activity",
190 "upgrade.*account",
191 "upgrade.notice",
192 "urgent message",
193 "urgent.verification",
194 "v[il1]o[li1]at[il1]on security",
195 "va[il1]{1}date.*ma[il1]{2}[ -]?box",
196 "verification ?-?require",
197 "verification( )?-?need",
198 "verify.your?.account",
199 "web ?-?ma[il1]{2}",
200 "web[ -]?ma[il1]{2}",
201 "will.be.suspended",
202 "your (customer )?account .as",
203 "your.office.365",
204 "your.online.access",
205 "Critical.Notice",
206 "Restore.Access",
207 // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt
208 "account has been limited",
209 "action required",
210 "almost full",
211 "apd notifi cation",
212 "are you at your desk",
213 "are you available",
214 "attached file to docusign",
215 "banking is temporarily unavailable",
216 "bankofamerica",
217 "closing statement invoice",
218 "completed: docusign",
219 "de-activation of",
220 "delivery attempt",
221 "delivery stopped for shipment",
222 "detected suspicious",
223 "detected suspicious actvity",
224 "docu sign",
225 "document for you",
226 "document has been sent to you via docusign",
227 "document is ready for signature",
228 "docusign",
229 "encrypted message",
230 "failed delivery",
231 "fedex tracking",
232 "file was shared",
233 "freefax",
234 "fwd: due invoice paid",
235 "has shared",
236 "inbox is full",
237 "invitation to comment",
238 "invitation to edit",
239 "invoice due",
240 "left you a message",
241 "message from",
242 "new message",
243 "new voicemail",
244 "on desk",
245 "out of space",
246 "password reset",
247 "payment status",
248 "quick reply",
249 "re: w-2",
250 "required",
251 "required: completed docusign",
252 "remittance",
253 "ringcentral",
254 "scanned image",
255 "secured files",
256 "secured pdf",
257 "security alert",
258 "new sign-in",
259 "new sign in",
260 "sign-in attempt",
261 "sign in attempt",
262 "staff review",
263 "suspicious activity",
264 "unrecognized login attempt",
265 "upgrade immediately",
266 "urgent",
267 "wants to share",
268 "w2",
269 "you have notifications pending",
270 "your account",
271 'your (?:\w+\s+){0,1}\s*account',
272 "your amazon order",
273 "your document settlement",
274 "your order with amazon",
275 "your password has been compromised",
276 )
277 or any($suspicious_subjects, strings.icontains(subject.subject, .))
278 )
279attack_types:
280 - "Credential Phishing"
281tactics_and_techniques:
282 - "Evasion"
283 - "Social engineering"
284detection_methods:
285 - "Content analysis"
286 - "Header analysis"
287 - "Natural Language Understanding"
288 - "URL analysis"
289id: "918c4bd3-987f-5f69-bb46-9465a0b87837"