← Back to Explore
sublimehighRule
EML attachment with credential theft language (unknown sender)
Identifies EML attachments that use credential theft language from unknown senders.
Detection Query
type.inbound
// we don't look for links because it could be a QR code
and any(attachments,
(.content_type == "message/rfc822" or .file_extension =~ "eml")
and (
// credential theft language in the attached EML
any(ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
// credential theft language in an attachment in the attached EML
or any(file.parse_eml(.).attachments,
any(ml.nlu_classifier(beta.ocr(.).text).intents,
.name == "cred_theft" and .confidence == "high"
)
)
)
and not strings.like(file.parse_eml(.).sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
// some systems attach the bounceback this way
and not any(file.parse_eml(.).attachments,
.content_type in (
"message/delivery-status",
"message/feedback-report"
)
)
// negate Microsoft Dynamic Delivery
and not (
length(file.parse_eml(.).attachments) == 0
and strings.icontains(file.parse_eml(.).body.current_thread.text,
"Your attachments are currently being scanned by Safe Attachments"
)
)
// Mimecast Protection attached EMLs when replacing attachments
and not (
(
strings.iends_with(.file_name, 'was removed from this message')
or .file_name == "We found suspicious links"
or .file_name == 'We sent you safe versions of your files'
)
and length(file.parse_eml(.).headers.hops) == 1
and any(file.parse_eml(.).headers.hops[0].fields,
.name == "X-MC-System"
)
and any(file.parse_eml(.).headers.hops[0].fields,
.name == "Content-Type"
and strings.contains(.value, '; boundary="MCBoundary=_')
)
)
)
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
and not regex.icontains(subject.subject, "^(undelivered|undeliverable|read:)")
and not any(attachments,
.content_type in (
"message/delivery-status",
"message/feedback-report"
)
)
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and (
not profile.by_sender_email().solicited
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_messages_benign
)
// sender address listed as a recipient
or (
length(recipients.to) == 1
and sender.email.email in map(recipients.to, .email.email)
)
)
and not profile.by_sender_email().any_messages_benign
// negate instances where proofpoint sends a review of a reported message via analyzer
and not (
sender.email.email == "analyzer@analyzer.securityeducation.com"
and any(headers.domains, .root_domain == "pphosted.com")
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "EML attachment with credential theft language (unknown sender)"
description: "Identifies EML attachments that use credential theft language from unknown senders."
type: "rule"
severity: "high"
source: |
type.inbound
// we don't look for links because it could be a QR code
and any(attachments,
(.content_type == "message/rfc822" or .file_extension =~ "eml")
and (
// credential theft language in the attached EML
any(ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
// credential theft language in an attachment in the attached EML
or any(file.parse_eml(.).attachments,
any(ml.nlu_classifier(beta.ocr(.).text).intents,
.name == "cred_theft" and .confidence == "high"
)
)
)
and not strings.like(file.parse_eml(.).sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
// some systems attach the bounceback this way
and not any(file.parse_eml(.).attachments,
.content_type in (
"message/delivery-status",
"message/feedback-report"
)
)
// negate Microsoft Dynamic Delivery
and not (
length(file.parse_eml(.).attachments) == 0
and strings.icontains(file.parse_eml(.).body.current_thread.text,
"Your attachments are currently being scanned by Safe Attachments"
)
)
// Mimecast Protection attached EMLs when replacing attachments
and not (
(
strings.iends_with(.file_name, 'was removed from this message')
or .file_name == "We found suspicious links"
or .file_name == 'We sent you safe versions of your files'
)
and length(file.parse_eml(.).headers.hops) == 1
and any(file.parse_eml(.).headers.hops[0].fields,
.name == "X-MC-System"
)
and any(file.parse_eml(.).headers.hops[0].fields,
.name == "Content-Type"
and strings.contains(.value, '; boundary="MCBoundary=_')
)
)
)
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
and not regex.icontains(subject.subject, "^(undelivered|undeliverable|read:)")
and not any(attachments,
.content_type in (
"message/delivery-status",
"message/feedback-report"
)
)
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and (
not profile.by_sender_email().solicited
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_messages_benign
)
// sender address listed as a recipient
or (
length(recipients.to) == 1
and sender.email.email in map(recipients.to, .email.email)
)
)
and not profile.by_sender_email().any_messages_benign
// negate instances where proofpoint sends a review of a reported message via analyzer
and not (
sender.email.email == "analyzer@analyzer.securityeducation.com"
and any(headers.domains, .root_domain == "pphosted.com")
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Natural Language Understanding"
- "Sender analysis"
- "Content analysis"
- "Header analysis"
id: "00e06af1-d67e-513c-b53e-b9548db8c65e"