← Back to Explore
sublimelowRule
Extortion / sextortion in attachment from untrusted sender
Detects extortion and sextortion attempts by analyzing attachment text from an untrusted sender.
Detection Query
type.inbound
and length(attachments) < 2
and (
length(body.current_thread.text) < 500
or (
length(ml.nlu_classifier(body.current_thread.text).intents) > 0
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name != "benign"
)
)
)
and any(attachments,
// use ocr output from file.explode on pdfs/images
(
(.file_type in $file_types_images or .file_type == "pdf")
and any(filter(file.explode(.), .scan.ocr.raw is not null),
(
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "extortion" and .confidence == "high"
)
and any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name == "financial"
)
)
or 3 of (
// malware terms
regex.icontains(.scan.ocr.raw,
"((spy|mal)ware|trojan|remote control|infiltrat(ed|ion))"
),
// actions recorded
regex.icontains(.scan.ocr.raw,
"porn|adult (web)?site|webcam|masturbating|jerking off|pleasuring yourself|getting off"
),
regex.icontains(.scan.ocr.raw,
"pervert|perversion|masturbat"
),
// a timeframe to pay
regex.icontains(.scan.ocr.raw,
'\d\d hours',
'(?:one|two|three) days?'
),
// a promise from the actor
regex.icontains(.scan.ocr.raw,
'permanently delete|destroy (?:\w+\s*){0,4} (?:data|evidence|videos?)'
),
// a threat from the actor
regex.icontains(.scan.ocr.raw,
'sen[dt]\s*(?:\w+\s*){0,2}\s*to\s*(?:\w+\s*){0,3}\s*.{0,10}(contacts|media|family|friends)'
),
// bitcoin
(
regex.icontains(.scan.ocr.raw,
'bitcoin|\bbtc\b|blockchain'
)
// negate cryptocurrency newsletters
and not (
any(body.links,
strings.icontains(.display_text, "unsubscribe")
and (
strings.icontains(.href_url.path, "unsubscribe")
// handle mimecast URL rewrites
or (
.href_url.domain.root_domain == 'mimecastprotect.com'
and strings.icontains(.href_url.query_params,
sender.email.domain.root_domain
)
)
)
)
)
),
// bitcoin wallet address + threat
(
strings.icontains(.scan.ocr.raw, "contact the police")
and regex.icontains(.scan.ocr.raw,
'(\b[13][a-km-zA-HJ-NP-Z0-9]{24,33}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
)
),
regex.icontains(.scan.ocr.raw, 'bc1q.{0,50}\b')
)
)
)
or
// use beta.parse_text on plain text files
(
(
.file_extension in ("txt")
and (
(
any(ml.nlu_classifier(file.parse_text(.).text).intents,
.name == "extortion" and .confidence == "high"
)
and any(ml.nlu_classifier(file.parse_text(.).text).entities,
.name == "financial"
)
)
or 3 of (
// malware terms
regex.icontains(beta.parse_text(.).text,
"((spy|mal)ware|trojan|remote control|infiltrat(ed|ion))"
),
// actions recorded
regex.icontains(beta.parse_text(.).text,
"porn|adult (web)?site|webcam|masturbating|jerking off|pleasuring yourself|getting off"
),
regex.icontains(beta.parse_text(.).text,
"pervert|perversion|masturbat"
),
// a timeframe to pay
regex.icontains(beta.parse_text(.).text,
'\d\d hours',
'(?:one|two|three) days?'
),
// a promise from the actor
regex.icontains(beta.parse_text(.).text,
'permanently delete|destroy (?:\w+\s*){0,4} (?:data|evidence|videos?)'
),
// a threat from the actor
regex.icontains(beta.parse_text(.).text,
'sen[dt]\s*(?:\w+\s*){0,2}\s*to\s*(?:\w+\s*){0,3}\s*.{0,10}(contacts|media|family|friends)'
),
// bitcoin
(
regex.icontains(beta.parse_text(.).text,
'bitcoin|\bbtc\b|blockchain'
)
// negate cryptocurrency newsletters
and not (
any(body.links,
strings.icontains(.display_text, "unsubscribe")
and (
strings.icontains(.href_url.path, "unsubscribe")
// handle mimecast URL rewrites
or (
.href_url.domain.root_domain == 'mimecastprotect.com'
and strings.icontains(.href_url.query_params,
sender.email.domain.root_domain
)
)
)
)
)
),
// bitcoin wallet address + threat
(
strings.icontains(beta.parse_text(.).text,
"contact the police"
)
and regex.icontains(beta.parse_text(.).text,
'(\b[13][a-km-zA-HJ-NP-Z0-9]{24,33}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
)
),
regex.icontains(beta.parse_text(.).text, 'bc1q.{0,50}\b')
)
)
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
// many extortion emails spoof sender domains and fail sender authentication
or any(headers.hops,
.authentication_results.dmarc == "fail"
or .authentication_results.compauth.verdict not in ("pass", "softpass")
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Extortion / sextortion in attachment from untrusted sender"
description: "Detects extortion and sextortion attempts by analyzing attachment text from an untrusted sender."
type: "rule"
severity: "low"
source: |
type.inbound
and length(attachments) < 2
and (
length(body.current_thread.text) < 500
or (
length(ml.nlu_classifier(body.current_thread.text).intents) > 0
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name != "benign"
)
)
)
and any(attachments,
// use ocr output from file.explode on pdfs/images
(
(.file_type in $file_types_images or .file_type == "pdf")
and any(filter(file.explode(.), .scan.ocr.raw is not null),
(
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "extortion" and .confidence == "high"
)
and any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name == "financial"
)
)
or 3 of (
// malware terms
regex.icontains(.scan.ocr.raw,
"((spy|mal)ware|trojan|remote control|infiltrat(ed|ion))"
),
// actions recorded
regex.icontains(.scan.ocr.raw,
"porn|adult (web)?site|webcam|masturbating|jerking off|pleasuring yourself|getting off"
),
regex.icontains(.scan.ocr.raw,
"pervert|perversion|masturbat"
),
// a timeframe to pay
regex.icontains(.scan.ocr.raw,
'\d\d hours',
'(?:one|two|three) days?'
),
// a promise from the actor
regex.icontains(.scan.ocr.raw,
'permanently delete|destroy (?:\w+\s*){0,4} (?:data|evidence|videos?)'
),
// a threat from the actor
regex.icontains(.scan.ocr.raw,
'sen[dt]\s*(?:\w+\s*){0,2}\s*to\s*(?:\w+\s*){0,3}\s*.{0,10}(contacts|media|family|friends)'
),
// bitcoin
(
regex.icontains(.scan.ocr.raw,
'bitcoin|\bbtc\b|blockchain'
)
// negate cryptocurrency newsletters
and not (
any(body.links,
strings.icontains(.display_text, "unsubscribe")
and (
strings.icontains(.href_url.path, "unsubscribe")
// handle mimecast URL rewrites
or (
.href_url.domain.root_domain == 'mimecastprotect.com'
and strings.icontains(.href_url.query_params,
sender.email.domain.root_domain
)
)
)
)
)
),
// bitcoin wallet address + threat
(
strings.icontains(.scan.ocr.raw, "contact the police")
and regex.icontains(.scan.ocr.raw,
'(\b[13][a-km-zA-HJ-NP-Z0-9]{24,33}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
)
),
regex.icontains(.scan.ocr.raw, 'bc1q.{0,50}\b')
)
)
)
or
// use beta.parse_text on plain text files
(
(
.file_extension in ("txt")
and (
(
any(ml.nlu_classifier(file.parse_text(.).text).intents,
.name == "extortion" and .confidence == "high"
)
and any(ml.nlu_classifier(file.parse_text(.).text).entities,
.name == "financial"
)
)
or 3 of (
// malware terms
regex.icontains(beta.parse_text(.).text,
"((spy|mal)ware|trojan|remote control|infiltrat(ed|ion))"
),
// actions recorded
regex.icontains(beta.parse_text(.).text,
"porn|adult (web)?site|webcam|masturbating|jerking off|pleasuring yourself|getting off"
),
regex.icontains(beta.parse_text(.).text,
"pervert|perversion|masturbat"
),
// a timeframe to pay
regex.icontains(beta.parse_text(.).text,
'\d\d hours',
'(?:one|two|three) days?'
),
// a promise from the actor
regex.icontains(beta.parse_text(.).text,
'permanently delete|destroy (?:\w+\s*){0,4} (?:data|evidence|videos?)'
),
// a threat from the actor
regex.icontains(beta.parse_text(.).text,
'sen[dt]\s*(?:\w+\s*){0,2}\s*to\s*(?:\w+\s*){0,3}\s*.{0,10}(contacts|media|family|friends)'
),
// bitcoin
(
regex.icontains(beta.parse_text(.).text,
'bitcoin|\bbtc\b|blockchain'
)
// negate cryptocurrency newsletters
and not (
any(body.links,
strings.icontains(.display_text, "unsubscribe")
and (
strings.icontains(.href_url.path, "unsubscribe")
// handle mimecast URL rewrites
or (
.href_url.domain.root_domain == 'mimecastprotect.com'
and strings.icontains(.href_url.query_params,
sender.email.domain.root_domain
)
)
)
)
)
),
// bitcoin wallet address + threat
(
strings.icontains(beta.parse_text(.).text,
"contact the police"
)
and regex.icontains(beta.parse_text(.).text,
'(\b[13][a-km-zA-HJ-NP-Z0-9]{24,33}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
)
),
regex.icontains(beta.parse_text(.).text, 'bc1q.{0,50}\b')
)
)
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
// many extortion emails spoof sender domains and fail sender authentication
or any(headers.hops,
.authentication_results.dmarc == "fail"
or .authentication_results.compauth.verdict not in ("pass", "softpass")
)
)
attack_types:
- "Extortion"
tactics_and_techniques:
- "Social engineering"
- "Spoofing"
detection_methods:
- "Computer Vision"
- "Content analysis"
- "File analysis"
- "Natural Language Understanding"
- "Optical Character Recognition"
- "Sender analysis"
id: "3cb8d32c-7c35-5cf9-9a8c-5cb6a1c3bd62"