← Back to Explore
sublimemediumRule
Attachment: Fake secure message and suspicious indicators
Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.
Detection Query
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
// ----- other suspicious signals here -----
and any(attachments,
any(file.explode(.),
any(.scan.strings.strings, strings.icontains(., "secure message"))
and (
any(.scan.url.urls, .domain.tld in $suspicious_tlds)
or any(.scan.url.urls,
any(.rewrite.encoders,
strings.icontains(., "open_redirect")
)
)
)
and (
any(.scan.url.urls,
.domain.root_domain != sender.email.domain.root_domain
)
or not sender.email.domain.valid
)
)
)
// negate legitimate message senders
and (
(
sender.email.domain.root_domain not in ("protectedtrust.com")
or not sender.email.domain.valid
)
and any(headers.hops,
.index == 0
and not any(.fields,
strings.contains(.value,
'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
)
)
)
and not (
any(headers.hops, any(.fields, .name == 'X-ZixNet'))
and any(headers.domains,
.root_domain in ("zixport.com", "zixcorp.com", "zixmail.net")
)
)
and not all(body.links,
.href_url.domain.root_domain in ("mimecast.com", "cisco.com")
)
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Fake secure message and suspicious indicators"
description: 'Body contains language resembling credential theft, and an attached "secure message" from an untrusted sender.'
type: "rule"
severity: "medium"
source: |
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
// ----- other suspicious signals here -----
and any(attachments,
any(file.explode(.),
any(.scan.strings.strings, strings.icontains(., "secure message"))
and (
any(.scan.url.urls, .domain.tld in $suspicious_tlds)
or any(.scan.url.urls,
any(.rewrite.encoders,
strings.icontains(., "open_redirect")
)
)
)
and (
any(.scan.url.urls,
.domain.root_domain != sender.email.domain.root_domain
)
or not sender.email.domain.valid
)
)
)
// negate legitimate message senders
and (
(
sender.email.domain.root_domain not in ("protectedtrust.com")
or not sender.email.domain.valid
)
and any(headers.hops,
.index == 0
and not any(.fields,
strings.contains(.value,
'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
)
)
)
and not (
any(headers.hops, any(.fields, .name == 'X-ZixNet'))
and any(headers.domains,
.root_domain in ("zixport.com", "zixcorp.com", "zixmail.net")
)
)
and not all(body.links,
.href_url.domain.root_domain in ("mimecast.com", "cisco.com")
)
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Image as content"
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "File analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Sender analysis"
id: "20a34d94-61b7-5f8c-8070-47edce70e5de"