← Back to Explore
sublimemediumRule
Service Abuse: Nifty.com with impersonation
Detects emails from nifty.com where the sender's local part matches a recipient's local part or organizational SLD, which has been observed in credential harvesting campaigns
Detection Query
type.inbound
and sender.email.domain.root_domain == "nifty.com"
and (
sender.email.local_part in map(recipients.to, .email.local_part)
or sender.email.local_part in $org_slds
)
and ml.nlu_classifier(body.current_thread.text).language != "japanese"
// and no false positives and not solicited
and not profile.by_sender_email().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Service Abuse: Nifty.com with impersonation"
description: "Detects emails from nifty.com where the sender's local part matches a recipient's local part or organizational SLD, which has been observed in credential harvesting campaigns"
type: "rule"
severity: "medium"
source: |
type.inbound
and sender.email.domain.root_domain == "nifty.com"
and (
sender.email.local_part in map(recipients.to, .email.local_part)
or sender.email.local_part in $org_slds
)
and ml.nlu_classifier(body.current_thread.text).language != "japanese"
// and no false positives and not solicited
and not profile.by_sender_email().any_messages_benign
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Spoofing"
detection_methods:
- "Sender analysis"
id: "370cfdac-4976-59a1-ae1f-7cd5594eb958"