EXPLORE
← Back to Explore
sublimemediumRule

Impersonation: IT Department mailbox storage alert

Detects inbound messages impersonating an internal IT Department by presenting a fake mailbox storage alert.

MITRE ATT&CK

initial-access

Detection Query

type.inbound
and strings.contains(body.current_thread.text, 'MAILBOX STORAGE ALERT')
and all([
          'Clean Inbox',
          'Storage Guide',
          'Empty Deleted Items',
          'Clean Mailbox Now',
          'Contact IT Support'
        ],
        . in map(html.xpath(body.html, '//a').nodes, .display_text)
)
and any(body.previous_threads,
        strings.contains(.text, 'IT Department')
        and strings.contains(.text, 'call ext. 5555')
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Impersonation: IT Department mailbox storage alert"
description: "Detects inbound messages impersonating an internal IT Department by presenting a fake mailbox storage alert."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and strings.contains(body.current_thread.text, 'MAILBOX STORAGE ALERT')
  and all([
            'Clean Inbox',
            'Storage Guide',
            'Empty Deleted Items',
            'Clean Mailbox Now',
            'Contact IT Support'
          ],
          . in map(html.xpath(body.html, '//a').nodes, .display_text)
  )
  and any(body.previous_threads,
          strings.contains(.text, 'IT Department')
          and strings.contains(.text, 'call ext. 5555')
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Employee"
  - "Social engineering"
  - "Out of band pivot"
detection_methods:
  - "Content analysis"
id: "1a1753f3-4658-59bc-9e28-0c8ed6e87e9a"