← Back to Explore
sublimehighRule
Credential phishing: Re-Authentication lure
Contains suspicious links and server-related terminology, requesting email account reauthentication with language targeting recipient credentials.
Detection Query
type.inbound
and length(body.current_thread.text) < 2000
and length(body.links) < 10
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
or ml.nlu_classifier(body.current_thread.text).language != "english"
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Security and Authentication" and .confidence == "high"
)
// email server language
and 3 of (
strings.icontains(body.current_thread.text, "security token"),
strings.icontains(body.current_thread.text, "still active"),
any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
regex.icontains(body.current_thread.text, 're[- ]?activat(e|ing)'),
regex.contains(body.current_thread.text, '\bMX\b'),
strings.icontains(body.current_thread.text, "mail servers"),
strings.icontains(body.current_thread.text, "email termination"),
strings.icontains(body.current_thread.text, "locked out"),
strings.icontains(body.current_thread.text, "email account"),
strings.icontains(body.current_thread.text, "credential"),
strings.icontains(subject.base, "disconnection"),
any(recipients.to,
.email.domain.valid and strings.icontains(subject.base, .email.email)
),
any(recipients.to,
.email.domain.valid
and strings.icontains(body.current_thread.text,
strings.concat("dear ", .email.local_part)
)
),
any(recipients.to,
.email.domain.valid
and strings.icontains(body.current_thread.text,
strings.concat(.email.domain.root_domain, " server")
)
),
any(recipients.to,
.email.domain.valid
and strings.icontains(body.current_thread.text,
strings.concat(.email.domain.root_domain,
" server"
)
)
),
any(recipients.to,
.email.domain.valid
and strings.icontains(body.current_thread.text,
strings.concat("attn: ", .email.local_part)
)
),
any(recipients.to,
.email.domain.valid
and strings.icount(body.current_thread.text, .email.email) > 1
)
)
// suspicious link
and 2 of (
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
regex.match(.display_text, '[A-Z ]+')
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.display_text, 'update')
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.display_text, 'confirm')
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.display_text, 'resolve')
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.display_text, 'auth')
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.root_domain == "ru.com"
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.path == "/lt.php"
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.tld in $suspicious_tlds
),
any(recipients.to,
.email.domain.valid
and any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.href_url.url, ..email.email)
)
),
any(recipients.to,
.email.domain.valid
and any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.display_text, ..email.email)
)
),
(
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.domain in $free_file_hosts
)
or any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.root_domain in $free_file_hosts
)
),
(
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.domain in $free_subdomain_hosts
)
or any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.root_domain in $free_subdomain_hosts
)
)
)
// and the sender is not from high trust sender root domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Credential phishing: Re-Authentication lure"
description: "Contains suspicious links and server-related terminology, requesting email account reauthentication with language targeting recipient credentials."
type: "rule"
severity: "high"
source: |
type.inbound
and length(body.current_thread.text) < 2000
and length(body.links) < 10
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
or ml.nlu_classifier(body.current_thread.text).language != "english"
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Security and Authentication" and .confidence == "high"
)
// email server language
and 3 of (
strings.icontains(body.current_thread.text, "security token"),
strings.icontains(body.current_thread.text, "still active"),
any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
regex.icontains(body.current_thread.text, 're[- ]?activat(e|ing)'),
regex.contains(body.current_thread.text, '\bMX\b'),
strings.icontains(body.current_thread.text, "mail servers"),
strings.icontains(body.current_thread.text, "email termination"),
strings.icontains(body.current_thread.text, "locked out"),
strings.icontains(body.current_thread.text, "email account"),
strings.icontains(body.current_thread.text, "credential"),
strings.icontains(subject.base, "disconnection"),
any(recipients.to,
.email.domain.valid and strings.icontains(subject.base, .email.email)
),
any(recipients.to,
.email.domain.valid
and strings.icontains(body.current_thread.text,
strings.concat("dear ", .email.local_part)
)
),
any(recipients.to,
.email.domain.valid
and strings.icontains(body.current_thread.text,
strings.concat(.email.domain.root_domain, " server")
)
),
any(recipients.to,
.email.domain.valid
and strings.icontains(body.current_thread.text,
strings.concat(.email.domain.root_domain,
" server"
)
)
),
any(recipients.to,
.email.domain.valid
and strings.icontains(body.current_thread.text,
strings.concat("attn: ", .email.local_part)
)
),
any(recipients.to,
.email.domain.valid
and strings.icount(body.current_thread.text, .email.email) > 1
)
)
// suspicious link
and 2 of (
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
regex.match(.display_text, '[A-Z ]+')
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.display_text, 'update')
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.display_text, 'confirm')
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.display_text, 'resolve')
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.display_text, 'auth')
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.root_domain == "ru.com"
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.path == "/lt.php"
),
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.tld in $suspicious_tlds
),
any(recipients.to,
.email.domain.valid
and any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.href_url.url, ..email.email)
)
),
any(recipients.to,
.email.domain.valid
and any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
strings.icontains(.display_text, ..email.email)
)
),
(
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.domain in $free_file_hosts
)
or any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.root_domain in $free_file_hosts
)
),
(
any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.domain in $free_subdomain_hosts
)
or any(filter(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
),
.href_url.domain.root_domain in $free_subdomain_hosts
)
)
)
// and the sender is not from high trust sender root domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
- "Impersonation: Brand"
detection_methods:
- "Natural Language Understanding"
- "Content analysis"
- "URL analysis"
- "Header analysis"
- "Sender analysis"
id: "2e45d3de-5cbf-57cf-b76d-88286c5ff58e"