← Back to Explore
sublimemediumRule
Impersonation: IT Department mailbox storage alert
Detects inbound messages impersonating an internal IT Department by presenting a fake mailbox storage alert.
Detection Query
type.inbound
and strings.contains(body.current_thread.text, 'MAILBOX STORAGE ALERT')
and all([
'Clean Inbox',
'Storage Guide',
'Empty Deleted Items',
'Clean Mailbox Now',
'Contact IT Support'
],
. in map(html.xpath(body.html, '//a').nodes, .display_text)
)
and any(body.previous_threads,
strings.contains(.text, 'IT Department')
and strings.contains(.text, 'call ext. 5555')
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Impersonation: IT Department mailbox storage alert"
description: "Detects inbound messages impersonating an internal IT Department by presenting a fake mailbox storage alert."
type: "rule"
severity: "medium"
source: |
type.inbound
and strings.contains(body.current_thread.text, 'MAILBOX STORAGE ALERT')
and all([
'Clean Inbox',
'Storage Guide',
'Empty Deleted Items',
'Clean Mailbox Now',
'Contact IT Support'
],
. in map(html.xpath(body.html, '//a').nodes, .display_text)
)
and any(body.previous_threads,
strings.contains(.text, 'IT Department')
and strings.contains(.text, 'call ext. 5555')
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Employee"
- "Social engineering"
- "Out of band pivot"
detection_methods:
- "Content analysis"
id: "1a1753f3-4658-59bc-9e28-0c8ed6e87e9a"