← Back to Explore
sublimehighRule
Attachment: EML with link to credential phishing page
Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.
Detection Query
type.inbound
and length(attachments) == 1
and any(attachments,
(.content_type == "message/rfc822" or .file_extension =~ "eml")
// identifies suspicious URLs in the attached EML
and any(file.parse_eml(.).body.links,
(
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
and ml.link_analysis(., mode="aggressive").credphish.confidence in (
"medium",
"high"
)
)
// or any links in the final dom lead to a suspicious tld
or any(ml.link_analysis(.).final_dom.links,
.href_url.domain.tld in $suspicious_tlds
or ml.link_analysis(.href_url).effective_url.domain.tld in $suspicious_tlds
)
// link redirects to a suspicious TLD
or any(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.tld in $suspicious_tlds
)
or (
// suspicious redirects
// 3 or more different domains with 2 or more different TLDs
// careful because click trackers will always make this at least 2
// different domains and not unlikely 2 or more TLDs
length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.tld
)
)
) >= 2
and length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.domain
)
)
) >= 3
)
)
// identifies other suspicious indicators
and (
// engaging language in the original body
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
// // engaging language in the attached EML
or any(ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).entities,
.name == "request"
)
// recipient SLD impersonated in the subject or display name
or any(recipients.to,
// ensure that we're checking the org SLD
.email.domain.sld in $org_slds
and (
strings.icontains(subject.subject, .email.domain.sld)
or strings.icontains(sender.display_name, .email.domain.sld)
)
)
// mismatched sender (From) and Reply-to + freemail
or any(headers.reply_to,
length(headers.reply_to) > 0
and all(headers.reply_to,
.email.domain.root_domain != sender.email.domain.root_domain
and .email.domain.root_domain in $free_email_providers
)
)
or any($suspicious_subjects, strings.icontains(subject.subject, .))
or regex.icontains(subject.subject,
"termination.*notice",
"38417",
":completed",
"[il1]{2}mit.*ma[il1]{2} ?bo?x",
"[il][il][il]egai[ -]",
"[li][li][li]ega[li] attempt",
"[ng]-?[io]n .*block",
"[ng]-?[io]n .*cancel",
"[ng]-?[io]n .*deactiv",
"[ng]-?[io]n .*disabl",
"action.*required",
"abandon.*package",
"about.your.account",
"acc(ou)?n?t (is )?on ho[li]d",
"acc(ou)?n?t.*terminat",
"acc(oun)?t.*[il1]{2}mitation",
"access.*limitation",
"account (will be )?block",
"account.*de-?activat",
"account.*locked",
"account.*re-verification",
"account.*security",
"account.*suspension",
"account.has.been",
"account.has.expired",
"account.will.be.blocked",
"account v[il]o[li]at",
"activity.*acc(oun)?t",
"almost.full",
"app[li]e.[il]d",
"authenticate.*account",
"been.*suspend",
"clos.*of.*account.*processed",
"confirm.your.account",
"courier.*able",
"crediential.*notif",
"deactivation.*in.*progress",
"delivery.*attempt.*failed",
"document.received",
"documented.*shared.*with.*you",
"dropbox.*document",
"e-?ma[il1]+ .{010}suspen",
"e-?ma[il1]{1} user",
"e-?ma[il1]{2} acc",
"e-?ma[il1]{2}.*up.?grade",
"e.?ma[il1]{2}.*server",
"e.?ma[il1]{2}.*suspend",
"email.update",
"faxed you",
"fraud(ulent)?.*charge",
"from.helpdesk",
"fu[il1]{2}.*ma[il1]+[ -]?box",
"has.been.*suspended",
"has.been.limited",
"have.locked",
"he[li]p ?desk upgrade",
"heipdesk",
"i[il]iega[il]",
"ii[il]ega[il]",
"incoming e?mail",
"incoming.*fax",
"lock.*security",
"ma[il1]{1}[ -]?box.*quo",
"ma[il1]{2}[ -]?box.*fu[il1]",
"ma[il1]{2}box.*[il1]{2}mit",
"ma[il1]{2}box stor",
"mail on.?hold",
"mail.*box.*migration",
"mail.*de-?activat",
"mail.update.required",
"mails.*pending",
"messages.*pending",
"missed.*shipping.*notification",
"missed.shipment.notification",
"must.update.your.account",
"new [sl][io]g?[nig][ -]?in from",
"new voice ?-?mail",
"notifications.*pending",
"office.*3.*6.*5.*suspend",
"office365",
"on google docs with you",
"online doc",
"password.*compromised",
"periodic maintenance",
"potential(ly)? unauthorized",
"refund not approved",
"report",
"revised.*policy",
"scam",
"scanned.?invoice",
"secured?.update",
"security breach",
"securlty",
"signed.*delivery",
"status of your .{314}? ?delivery",
"susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
"suspicious.*sign.*[io]n",
"suspicious.activit",
"temporar(il)?y deactivate",
"temporar[il1]{2}y disab[li]ed",
"temporarily.*lock",
"un-?usua[li].activity",
"unable.*deliver",
"unauthorized.*activit",
"unauthorized.device",
"undelivered message",
"unread.*doc",
"unusual.activity",
"upgrade.*account",
"upgrade.notice",
"urgent message",
"urgent.verification",
"v[il1]o[li1]at[il1]on security",
"va[il1]{1}date.*ma[il1]{2}[ -]?box",
"verification ?-?require",
"verification( )?-?need",
"verify.your?.account",
"web ?-?ma[il1]{2}",
"web[ -]?ma[il1]{2}",
"will.be.suspended",
"your (customer )?account .as",
"your.office.365",
"your.online.access",
)
)
)
// exclude bounce backs & read receipts
and not strings.ilike(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
// exclude optonline deprecated mailbox returns
and (
not strings.starts_with(sender.display_name, "Auto-reply")
and sender.email.domain.root_domain == "optonline.net"
)
and not regex.icontains(subject.subject, "^(undeliverable|read:)")
and not any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: EML with link to credential phishing page"
description: |
Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.
type: "rule"
severity: "high"
source: |
type.inbound
and length(attachments) == 1
and any(attachments,
(.content_type == "message/rfc822" or .file_extension =~ "eml")
// identifies suspicious URLs in the attached EML
and any(file.parse_eml(.).body.links,
(
ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
and ml.link_analysis(., mode="aggressive").credphish.confidence in (
"medium",
"high"
)
)
// or any links in the final dom lead to a suspicious tld
or any(ml.link_analysis(.).final_dom.links,
.href_url.domain.tld in $suspicious_tlds
or ml.link_analysis(.href_url).effective_url.domain.tld in $suspicious_tlds
)
// link redirects to a suspicious TLD
or any(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.tld in $suspicious_tlds
)
or (
// suspicious redirects
// 3 or more different domains with 2 or more different TLDs
// careful because click trackers will always make this at least 2
// different domains and not unlikely 2 or more TLDs
length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.tld
)
)
) >= 2
and length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.domain
)
)
) >= 3
)
)
// identifies other suspicious indicators
and (
// engaging language in the original body
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
// // engaging language in the attached EML
or any(ml.nlu_classifier(file.parse_eml(.).body.current_thread.text).entities,
.name == "request"
)
// recipient SLD impersonated in the subject or display name
or any(recipients.to,
// ensure that we're checking the org SLD
.email.domain.sld in $org_slds
and (
strings.icontains(subject.subject, .email.domain.sld)
or strings.icontains(sender.display_name, .email.domain.sld)
)
)
// mismatched sender (From) and Reply-to + freemail
or any(headers.reply_to,
length(headers.reply_to) > 0
and all(headers.reply_to,
.email.domain.root_domain != sender.email.domain.root_domain
and .email.domain.root_domain in $free_email_providers
)
)
or any($suspicious_subjects, strings.icontains(subject.subject, .))
or regex.icontains(subject.subject,
"termination.*notice",
"38417",
":completed",
"[il1]{2}mit.*ma[il1]{2} ?bo?x",
"[il][il][il]egai[ -]",
"[li][li][li]ega[li] attempt",
"[ng]-?[io]n .*block",
"[ng]-?[io]n .*cancel",
"[ng]-?[io]n .*deactiv",
"[ng]-?[io]n .*disabl",
"action.*required",
"abandon.*package",
"about.your.account",
"acc(ou)?n?t (is )?on ho[li]d",
"acc(ou)?n?t.*terminat",
"acc(oun)?t.*[il1]{2}mitation",
"access.*limitation",
"account (will be )?block",
"account.*de-?activat",
"account.*locked",
"account.*re-verification",
"account.*security",
"account.*suspension",
"account.has.been",
"account.has.expired",
"account.will.be.blocked",
"account v[il]o[li]at",
"activity.*acc(oun)?t",
"almost.full",
"app[li]e.[il]d",
"authenticate.*account",
"been.*suspend",
"clos.*of.*account.*processed",
"confirm.your.account",
"courier.*able",
"crediential.*notif",
"deactivation.*in.*progress",
"delivery.*attempt.*failed",
"document.received",
"documented.*shared.*with.*you",
"dropbox.*document",
"e-?ma[il1]+ .{010}suspen",
"e-?ma[il1]{1} user",
"e-?ma[il1]{2} acc",
"e-?ma[il1]{2}.*up.?grade",
"e.?ma[il1]{2}.*server",
"e.?ma[il1]{2}.*suspend",
"email.update",
"faxed you",
"fraud(ulent)?.*charge",
"from.helpdesk",
"fu[il1]{2}.*ma[il1]+[ -]?box",
"has.been.*suspended",
"has.been.limited",
"have.locked",
"he[li]p ?desk upgrade",
"heipdesk",
"i[il]iega[il]",
"ii[il]ega[il]",
"incoming e?mail",
"incoming.*fax",
"lock.*security",
"ma[il1]{1}[ -]?box.*quo",
"ma[il1]{2}[ -]?box.*fu[il1]",
"ma[il1]{2}box.*[il1]{2}mit",
"ma[il1]{2}box stor",
"mail on.?hold",
"mail.*box.*migration",
"mail.*de-?activat",
"mail.update.required",
"mails.*pending",
"messages.*pending",
"missed.*shipping.*notification",
"missed.shipment.notification",
"must.update.your.account",
"new [sl][io]g?[nig][ -]?in from",
"new voice ?-?mail",
"notifications.*pending",
"office.*3.*6.*5.*suspend",
"office365",
"on google docs with you",
"online doc",
"password.*compromised",
"periodic maintenance",
"potential(ly)? unauthorized",
"refund not approved",
"report",
"revised.*policy",
"scam",
"scanned.?invoice",
"secured?.update",
"security breach",
"securlty",
"signed.*delivery",
"status of your .{314}? ?delivery",
"susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
"suspicious.*sign.*[io]n",
"suspicious.activit",
"temporar(il)?y deactivate",
"temporar[il1]{2}y disab[li]ed",
"temporarily.*lock",
"un-?usua[li].activity",
"unable.*deliver",
"unauthorized.*activit",
"unauthorized.device",
"undelivered message",
"unread.*doc",
"unusual.activity",
"upgrade.*account",
"upgrade.notice",
"urgent message",
"urgent.verification",
"v[il1]o[li1]at[il1]on security",
"va[il1]{1}date.*ma[il1]{2}[ -]?box",
"verification ?-?require",
"verification( )?-?need",
"verify.your?.account",
"web ?-?ma[il1]{2}",
"web[ -]?ma[il1]{2}",
"will.be.suspended",
"your (customer )?account .as",
"your.office.365",
"your.online.access",
)
)
)
// exclude bounce backs & read receipts
and not strings.ilike(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
// exclude optonline deprecated mailbox returns
and (
not strings.starts_with(sender.display_name, "Auto-reply")
and sender.email.domain.root_domain == "optonline.net"
)
and not regex.icontains(subject.subject, "^(undeliverable|read:)")
and not any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Free file host"
- "Free subdomain host"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Content analysis"
- "File analysis"
- "Header analysis"
- "HTML analysis"
- "Natural Language Understanding"
- "Optical Character Recognition"
- "URL analysis"
- "URL screenshot"
id: "1df41cca-369a-5bff-83cc-0f9ddf1ff007"