← Back to Explore
sublimemediumRule
Credential phishing: Suspicious subject with urgent financial request and link
This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender.
Detection Query
type.inbound
and (
0 < length(filter(body.links,
not strings.ilike(.display_text,
"*privacy*",
"*terms of service*",
"Learn why this is important"
)
or .display_text is null
)
) < 5
)
// negate webinar registrations
and not any(body.links,
.display_text =~ "REGISTER NOW"
and .href_url.domain.root_domain == "secureclick.net"
)
// not all links are unsubscribe links
and not all(body.links,
(
strings.icontains(.display_text, "unsubscribe")
and strings.icontains(.href_url.path, "unsubscribe")
)
or (
strings.icontains(.display_text, "deactivate")
and strings.icontains(.href_url.path, "DeactivateAccount")
)
)
// ignore emails in body
and not all(body.links, .href_url.domain.domain in $free_email_providers)
and length(body.current_thread.text) < 2000
and length(subject.subject) < 100
// and suspicious subject
and regex.icontains(subject.subject,
// https://github.com/sublime-security/static-files/blob/main/suspicious_subjects_regex.txt
"termination.*notice",
"38417",
":completed",
"[il1]{2}mit.*ma[il1]{2} ?bo?x",
"[il][il][il]egai[ -]",
"[li][li][li]ega[li] attempt",
"[ng]-?[io]n .*block",
"[ng]-?[io]n .*cancel",
"[ng]-?[io]n .*deactiv",
"[ng]-?[io]n .*disabl",
"action.*required",
"abandon.*package",
"about.your.account",
"acc(ou)?n?t (is )?on ho[li]d",
"acc(ou)?n?t.*terminat",
"acc(oun)?t.*[il1]{2}mitation",
"access.*limitation",
"account (will be )?block",
"account.*de-?activat",
"account.*locked",
"account.*re-verification",
"account.*security",
"account.*suspension",
"account.has.been",
"account.has.expired",
"account.will.be.blocked",
"account v[il]o[li]at",
"activity.*acc(oun)?t",
"almost.full",
"app[li]e.[il]d",
"authenticate.*account",
"been.*suspend",
"clos.*of.*account.*processed",
"confirm.your.account",
"courier.*able",
"crediential.*notif",
"deactivation.*in.*progress",
"delivery.*attempt.*failed",
"document.(?:submitted|received)",
"documented.*shared.*with.*you",
"dropbox.*document",
"e-?ma[il1]+ .{010}suspen",
"e-?ma[il1]{1} user",
"e-?ma[il1]{2} acc",
"e-?ma[il1]{2}.*up.?grade",
"e.?ma[il1]{2}.*server",
"e.?ma[il1]{2}.*suspend",
"email.update",
"faxed you",
"fraud(ulent)?.*charge",
"from.helpdesk",
"fu[il1]{2}.*ma[il1]+[ -]?box",
"has.been.*suspended",
"has.been.limited",
"have.locked",
"he[li]p ?desk upgrade",
"heipdesk",
"i[il]iega[il]",
"ii[il]ega[il]",
"incoming e?mail",
"incoming.*fax",
"lock.*security",
"ma[il1]{1}[ -]?box.*quo",
"ma[il1]{2}[ -]?box.*fu[il1]",
"ma[il1]{2}box.*[il1]{2}mit",
"ma[il1]{2}box stor",
"mail on.?hold",
"mail.*box.*migration",
"mail.*de-?activat",
"mail.update.required",
"mails.*pending",
"messages.*pending",
"missed.*shipping.*notification",
"missed.shipment.notification",
"must.update.your.account",
"new [sl][io]g?[nig][ -]?in from",
"new voice ?-?mail",
"notifications.*pending",
"office.*3.*6.*5.*suspend",
"office365",
"on google docs with you",
"online doc",
"password.*compromised",
"periodic maintenance",
"potential(ly)? unauthorized",
"refund not approved",
"revised.*policy",
"scam",
"scanned.?invoice",
"secured?.update",
"security breach",
"securlty",
"signed.*delivery",
"status of your .{314}? ?delivery",
"susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
"suspicious.*sign.*[io]n",
"suspicious.activit",
"temporar(il)?y deactivate",
"temporar[il1]{2}y disab[li]ed",
"temporarily.*lock",
"un-?usua[li].activity",
"unable.*deliver",
"unauthorized.*activit",
"unauthorized.device",
"unauthorized.sign.?in",
"unrecognized.*activit",
"unrecognized.sign.?in",
"unrecognized.*activit",
"undelivered message",
"unread.*doc",
"unusual.activity",
"upgrade.*account",
"upgrade.notice",
"urgent message",
"urgent.verification",
"v[il1]o[li1]at[il1]on security",
"va[il1]{1}date.*ma[il1]{2}[ -]?box",
"verification ?-?require",
"verification( )?-?need",
"verify.your?.account",
"web ?-?ma[il1]{2}",
"web[ -]?ma[il1]{2}",
"will.be.suspended",
"your (customer )?account .as",
"your.office.365",
"your.online.access",
// https://github.com/sublime-security/static-files/blob/main/suspicious_subjects.txt
"account has been limited",
"action required",
"almost full",
"apd notifi cation",
"are you at your desk",
"are you available",
"attached file to docusign",
"banking is temporarily unavailable",
"bankofamerica",
"closing statement invoice",
"completed: docusign",
"de-activation of",
"delivery attempt",
"delivery stopped for shipment",
"detected suspicious",
"detected suspicious actvity",
"docu sign",
"document for you",
"document has been sent to you via docusign",
"document is ready for signature",
"docusign",
"encrypted message",
"failed delivery",
"fedex tracking",
"file was shared",
"freefax",
"fwd: due invoice paid",
"has shared",
"inbox is full",
"invitation to comment",
"invitation to edit",
"invoice due",
"left you a message",
"message from",
"new message",
"new voicemail",
"on desk",
"out of space",
"password reset",
"payment status",
"quick reply",
"re: w-2",
"required",
"required: completed docusign",
"ringcentral",
"scanned image",
"secured files",
"secured pdf",
"security alert",
"new sign-in",
"new sign in",
"sign-in attempt",
"sign in attempt",
"staff review",
"suspicious activity",
"unrecognized login attempt",
"upgrade immediately",
"urgent",
"wants to share",
'\bw2\b',
"you have notifications pending",
"your account",
"your amazon order",
"your document settlement",
"your order with amazon",
"your password has been compromised",
// cryptocurrency related subjects
'\d{1,2}.\d{1,8}\s(BTC|ETH|SOL|(?:USD[CT])|XRP) Offer Waiting for(\sYour)?\sReview',
)
// language attempting to engage
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
// financial request
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "financial"
)
// urgency request
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency"
)
// org presence
and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org")
// not a reply
and (
not strings.istarts_with(subject.subject, "re:")
and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
// the message is unsolicited and no false positives
and (
not profile.by_sender_email().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
or (
profile.by_sender().any_messages_malicious_or_spam
and profile.by_sender().any_messages_benign
and (
not headers.auth_summary.dmarc.pass or not headers.auth_summary.spf.pass
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// negation the only link is the senders email
and not (
regex.contains(body.current_thread.text,
"[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
)
and (
all(body.links, .href_url.domain.root_domain == sender.email.domain.domain)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Credential phishing: Suspicious subject with urgent financial request and link"
description: "This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
0 < length(filter(body.links,
not strings.ilike(.display_text,
"*privacy*",
"*terms of service*",
"Learn why this is important"
)
or .display_text is null
)
) < 5
)
// negate webinar registrations
and not any(body.links,
.display_text =~ "REGISTER NOW"
and .href_url.domain.root_domain == "secureclick.net"
)
// not all links are unsubscribe links
and not all(body.links,
(
strings.icontains(.display_text, "unsubscribe")
and strings.icontains(.href_url.path, "unsubscribe")
)
or (
strings.icontains(.display_text, "deactivate")
and strings.icontains(.href_url.path, "DeactivateAccount")
)
)
// ignore emails in body
and not all(body.links, .href_url.domain.domain in $free_email_providers)
and length(body.current_thread.text) < 2000
and length(subject.subject) < 100
// and suspicious subject
and regex.icontains(subject.subject,
// https://github.com/sublime-security/static-files/blob/main/suspicious_subjects_regex.txt
"termination.*notice",
"38417",
":completed",
"[il1]{2}mit.*ma[il1]{2} ?bo?x",
"[il][il][il]egai[ -]",
"[li][li][li]ega[li] attempt",
"[ng]-?[io]n .*block",
"[ng]-?[io]n .*cancel",
"[ng]-?[io]n .*deactiv",
"[ng]-?[io]n .*disabl",
"action.*required",
"abandon.*package",
"about.your.account",
"acc(ou)?n?t (is )?on ho[li]d",
"acc(ou)?n?t.*terminat",
"acc(oun)?t.*[il1]{2}mitation",
"access.*limitation",
"account (will be )?block",
"account.*de-?activat",
"account.*locked",
"account.*re-verification",
"account.*security",
"account.*suspension",
"account.has.been",
"account.has.expired",
"account.will.be.blocked",
"account v[il]o[li]at",
"activity.*acc(oun)?t",
"almost.full",
"app[li]e.[il]d",
"authenticate.*account",
"been.*suspend",
"clos.*of.*account.*processed",
"confirm.your.account",
"courier.*able",
"crediential.*notif",
"deactivation.*in.*progress",
"delivery.*attempt.*failed",
"document.(?:submitted|received)",
"documented.*shared.*with.*you",
"dropbox.*document",
"e-?ma[il1]+ .{010}suspen",
"e-?ma[il1]{1} user",
"e-?ma[il1]{2} acc",
"e-?ma[il1]{2}.*up.?grade",
"e.?ma[il1]{2}.*server",
"e.?ma[il1]{2}.*suspend",
"email.update",
"faxed you",
"fraud(ulent)?.*charge",
"from.helpdesk",
"fu[il1]{2}.*ma[il1]+[ -]?box",
"has.been.*suspended",
"has.been.limited",
"have.locked",
"he[li]p ?desk upgrade",
"heipdesk",
"i[il]iega[il]",
"ii[il]ega[il]",
"incoming e?mail",
"incoming.*fax",
"lock.*security",
"ma[il1]{1}[ -]?box.*quo",
"ma[il1]{2}[ -]?box.*fu[il1]",
"ma[il1]{2}box.*[il1]{2}mit",
"ma[il1]{2}box stor",
"mail on.?hold",
"mail.*box.*migration",
"mail.*de-?activat",
"mail.update.required",
"mails.*pending",
"messages.*pending",
"missed.*shipping.*notification",
"missed.shipment.notification",
"must.update.your.account",
"new [sl][io]g?[nig][ -]?in from",
"new voice ?-?mail",
"notifications.*pending",
"office.*3.*6.*5.*suspend",
"office365",
"on google docs with you",
"online doc",
"password.*compromised",
"periodic maintenance",
"potential(ly)? unauthorized",
"refund not approved",
"revised.*policy",
"scam",
"scanned.?invoice",
"secured?.update",
"security breach",
"securlty",
"signed.*delivery",
"status of your .{314}? ?delivery",
"susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
"suspicious.*sign.*[io]n",
"suspicious.activit",
"temporar(il)?y deactivate",
"temporar[il1]{2}y disab[li]ed",
"temporarily.*lock",
"un-?usua[li].activity",
"unable.*deliver",
"unauthorized.*activit",
"unauthorized.device",
"unauthorized.sign.?in",
"unrecognized.*activit",
"unrecognized.sign.?in",
"unrecognized.*activit",
"undelivered message",
"unread.*doc",
"unusual.activity",
"upgrade.*account",
"upgrade.notice",
"urgent message",
"urgent.verification",
"v[il1]o[li1]at[il1]on security",
"va[il1]{1}date.*ma[il1]{2}[ -]?box",
"verification ?-?require",
"verification( )?-?need",
"verify.your?.account",
"web ?-?ma[il1]{2}",
"web[ -]?ma[il1]{2}",
"will.be.suspended",
"your (customer )?account .as",
"your.office.365",
"your.online.access",
// https://github.com/sublime-security/static-files/blob/main/suspicious_subjects.txt
"account has been limited",
"action required",
"almost full",
"apd notifi cation",
"are you at your desk",
"are you available",
"attached file to docusign",
"banking is temporarily unavailable",
"bankofamerica",
"closing statement invoice",
"completed: docusign",
"de-activation of",
"delivery attempt",
"delivery stopped for shipment",
"detected suspicious",
"detected suspicious actvity",
"docu sign",
"document for you",
"document has been sent to you via docusign",
"document is ready for signature",
"docusign",
"encrypted message",
"failed delivery",
"fedex tracking",
"file was shared",
"freefax",
"fwd: due invoice paid",
"has shared",
"inbox is full",
"invitation to comment",
"invitation to edit",
"invoice due",
"left you a message",
"message from",
"new message",
"new voicemail",
"on desk",
"out of space",
"password reset",
"payment status",
"quick reply",
"re: w-2",
"required",
"required: completed docusign",
"ringcentral",
"scanned image",
"secured files",
"secured pdf",
"security alert",
"new sign-in",
"new sign in",
"sign-in attempt",
"sign in attempt",
"staff review",
"suspicious activity",
"unrecognized login attempt",
"upgrade immediately",
"urgent",
"wants to share",
'\bw2\b',
"you have notifications pending",
"your account",
"your amazon order",
"your document settlement",
"your order with amazon",
"your password has been compromised",
// cryptocurrency related subjects
'\d{1,2}.\d{1,8}\s(BTC|ETH|SOL|(?:USD[CT])|XRP) Offer Waiting for(\sYour)?\sReview',
)
// language attempting to engage
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
// financial request
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "financial"
)
// urgency request
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency"
)
// org presence
and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org")
// not a reply
and (
not strings.istarts_with(subject.subject, "re:")
and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
// the message is unsolicited and no false positives
and (
not profile.by_sender_email().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
or (
profile.by_sender().any_messages_malicious_or_spam
and profile.by_sender().any_messages_benign
and (
not headers.auth_summary.dmarc.pass or not headers.auth_summary.spf.pass
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// negation the only link is the senders email
and not (
regex.contains(body.current_thread.text,
"[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
)
and (
all(body.links, .href_url.domain.root_domain == sender.email.domain.domain)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Sender analysis"
id: "056464f4-7a16-5f07-ab86-912e0a64ecae"