EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Commonly abused sender TLD with engaging language

Message is from a commonly abused sender TLD, contains various suspicious indicators resembling credential theft, and is unsolicited.

MITRE ATT&CK

T1566T1566.001T1566.002T1598
initial-access

Detection Query

type.inbound

// we don't do a suspicious link check here
// because we are seeing abuse of mass marketing tools
// like campaign[.]adobe[.]com
// once we roll out better support for unfurling those,
// we can update this logic
and length(body.links) > 0

// commonly abused sender TLD
and strings.ilike(sender.email.domain.tld, "*.jp")
and 3 of (
  // language attempting to engage
  any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request"),

  // financial request
  any(ml.nlu_classifier(body.current_thread.text).entities,
      .name == "financial"
  ),

  // urgency request
  any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),

  // known suspicious pattern in the URL path
  any(body.links, regex.match(.href_url.path, '\/[a-z]{3}\d[a-z]')),

  // suspicious image that's most likely cred_theft
  any(attachments,
      .file_type in $file_types_images
      and any(file.explode(.),
              any(ml.nlu_classifier(.scan.ocr.raw).intents,
                  .name == "cred_theft"
              )
              or any(ml.nlu_classifier(.scan.ocr.raw).entities,
                     .name == "financial"
              )
      )
  ),

  // recipient's SLD is in the sender's display name
  any(recipients.to,
      strings.icontains(sender.display_name, .email.domain.sld)
      and (
        .email.domain.valid or strings.icontains(.display_name, "undisclosed")
      )
  ),

  // recipient's email address in the subject
  any(recipients.to,
      strings.icontains(subject.subject, .email.email)
      and (
        .email.domain.valid or strings.icontains(.display_name, "undisclosed")
      )
  ),
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not sender.email.domain.root_domain in ("amazon.co.jp")
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Commonly abused sender TLD with engaging language"
description: |
  Message is from a commonly abused sender TLD, contains various suspicious indicators resembling credential theft, and is unsolicited.
type: "rule"
severity: "medium"
source: |
  type.inbound
  
  // we don't do a suspicious link check here
  // because we are seeing abuse of mass marketing tools
  // like campaign[.]adobe[.]com
  // once we roll out better support for unfurling those,
  // we can update this logic
  and length(body.links) > 0
  
  // commonly abused sender TLD
  and strings.ilike(sender.email.domain.tld, "*.jp")
  and 3 of (
    // language attempting to engage
    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request"),
  
    // financial request
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "financial"
    ),
  
    // urgency request
    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
  
    // known suspicious pattern in the URL path
    any(body.links, regex.match(.href_url.path, '\/[a-z]{3}\d[a-z]')),
  
    // suspicious image that's most likely cred_theft
    any(attachments,
        .file_type in $file_types_images
        and any(file.explode(.),
                any(ml.nlu_classifier(.scan.ocr.raw).intents,
                    .name == "cred_theft"
                )
                or any(ml.nlu_classifier(.scan.ocr.raw).entities,
                       .name == "financial"
                )
        )
    ),
  
    // recipient's SLD is in the sender's display name
    any(recipients.to,
        strings.icontains(sender.display_name, .email.domain.sld)
        and (
          .email.domain.valid or strings.icontains(.display_name, "undisclosed")
        )
    ),
  
    // recipient's email address in the subject
    any(recipients.to,
        strings.icontains(subject.subject, .email.email)
        and (
          .email.domain.valid or strings.icontains(.display_name, "undisclosed")
        )
    ),
  )
  and (
    not profile.by_sender().solicited
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  and not sender.email.domain.root_domain in ("amazon.co.jp")
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "File analysis"
  - "Natural Language Understanding"
  - "Optical Character Recognition"
  - "Sender analysis"
  - "URL analysis"
id: "447386dc-e748-5aca-8da4-a3d15345550c"