EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Credential phishing: Fake card notification with tracking lure

Detects inbound messages using fake credit card delivery or approval themes with credential theft intent. Messages contain card-related language paired with delivery or status indicators, and tracking call-to-action links.

MITRE ATT&CK

T1566T1566.001T1566.002T1598
initial-access

Detection Query

type.inbound
and (
  (
    regex.icontains(subject.base, '\bcard\b')
    or regex.icontains(body.current_thread.text, '\bcard\b')
  )
  and strings.ilike(body.current_thread.text,
                    "*could be with you*",
                    "*currently accessible*",
                    "*collect bank details*",
                    "*not a financial institution*"
  )
)
and any(body.links,
        strings.ilike(.display_text,
                      "*track order*",
                      "*track*card*",
                      "*card status*"
        )
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence == "high"
)
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Credential phishing: Fake card notification with tracking lure"
description: "Detects inbound messages using fake credit card delivery or approval themes with credential theft intent. Messages contain card-related language paired with delivery or status indicators, and tracking call-to-action links."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    (
      regex.icontains(subject.base, '\bcard\b')
      or regex.icontains(body.current_thread.text, '\bcard\b')
    )
    and strings.ilike(body.current_thread.text,
                      "*could be with you*",
                      "*currently accessible*",
                      "*collect bank details*",
                      "*not a financial institution*"
    )
  )
  and any(body.links,
          strings.ilike(.display_text,
                        "*track order*",
                        "*track*card*",
                        "*card status*"
          )
  )
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "cred_theft" and .confidence == "high"
  )
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "URL analysis"
  - "Sender analysis"
id: "22cec280-7dfa-5da0-bd2b-8a5bfd83fa5c"