← Back to Explore
sublimemediumRule
X (Twitter) impersonation with credential phishing motives
This rule is designed to identify impersonation attempts by analyzing the display name or sender's local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com. Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging.
Detection Query
type.inbound
and sender.display_name =~ "x"
and sender.email.domain.root_domain not in ("twitter.com", "x.com")
and (
any(attachments,
.file_type in~ $file_types_images
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence != "low"
)
)
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
)
// sender profile is new or outlier
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
or sender.email.email in ("noreply@salesforce.com", "support@salesforce.com")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
// salesforce has been abused for x/twitter phishing campaigns repeatedly
or sender.email.domain.root_domain == "salesforce.com"
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "X (Twitter) impersonation with credential phishing motives"
description: |
This rule is designed to identify impersonation attempts by analyzing the display name or sender's
local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com.
Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging.
type: "rule"
severity: "medium"
source: |
type.inbound
and sender.display_name =~ "x"
and sender.email.domain.root_domain not in ("twitter.com", "x.com")
and (
any(attachments,
.file_type in~ $file_types_images
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence != "low"
)
)
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
)
// sender profile is new or outlier
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
or sender.email.email in ("noreply@salesforce.com", "support@salesforce.com")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
// salesforce has been abused for x/twitter phishing campaigns repeatedly
or sender.email.domain.root_domain == "salesforce.com"
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "File analysis"
- "Header analysis"
- "Optical Character Recognition"
- "Natural Language Understanding"
- "Sender analysis"
id: "0b60dca6-db2d-5718-94d8-fdbfd06bd081"