EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Cloud storage impersonation with credential theft indicators

Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003
initial-access

Detection Query

type.inbound
and 0 < length(body.current_thread.links) < 10
and any([subject.subject, sender.display_name],
        regex.icontains(., "(?:cloud|storage|mailbox|account|system|service)")
)
and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
        .name == "cred_theft" and .confidence == "high"
)
and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
            .name == "Customer Service and Support" and .confidence == "high"
)
and regex.icontains(beta.ocr(file.message_screenshot()).text,
                    "storage.{0,50}full",
                    "free.{0,50}upgrade",
                    "storage.{0,50}details",
                    "storage.{0,50}quot",
                    "(?:mailbox|account|cloud).{0,50}(?:at risk|storage|disabled)"
)
and not strings.ilike(beta.ocr(file.message_screenshot()).text, "*free plan*")
and (
  any(body.current_thread.links,
      // fingerprints of a hyperlinked image
      .display_text is null
      and .display_url.url is null
      and .href_url.domain.domain not in $tenant_domains
      and (
        .href_url.domain.root_domain in $free_file_hosts
        or .href_url.domain.root_domain in $url_shorteners
        or network.whois(.href_url.domain).days_old < 365
        or .href_url.domain.root_domain == "beehiiv.com"
        or (
          strings.icontains(.href_url.path, '.html')
          and coalesce(.href_url.domain.root_domain, "null") != sender.email.domain.root_domain
        )
      )
  )
)
// and the sender is not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Cloud storage impersonation with credential theft indicators"
description: "Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and 0 < length(body.current_thread.links) < 10
  and any([subject.subject, sender.display_name],
          regex.icontains(., "(?:cloud|storage|mailbox|account|system|service)")
  )
  and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
          .name == "cred_theft" and .confidence == "high"
  )
  and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
              .name == "Customer Service and Support" and .confidence == "high"
  )
  and regex.icontains(beta.ocr(file.message_screenshot()).text,
                      "storage.{0,50}full",
                      "free.{0,50}upgrade",
                      "storage.{0,50}details",
                      "storage.{0,50}quot",
                      "(?:mailbox|account|cloud).{0,50}(?:at risk|storage|disabled)"
  )
  and not strings.ilike(beta.ocr(file.message_screenshot()).text, "*free plan*")
  and (
    any(body.current_thread.links,
        // fingerprints of a hyperlinked image
        .display_text is null
        and .display_url.url is null
        and .href_url.domain.domain not in $tenant_domains
        and (
          .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.root_domain in $url_shorteners
          or network.whois(.href_url.domain).days_old < 365
          or .href_url.domain.root_domain == "beehiiv.com"
          or (
            strings.icontains(.href_url.path, '.html')
            and coalesce(.href_url.domain.root_domain, "null") != sender.email.domain.root_domain
          )
        )
    )
  )
  // and the sender is not from high trust sender root domains
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Free file host"
  - "Image as content"
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Computer Vision"
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Optical Character Recognition"
  - "Sender analysis"
  - "URL analysis"
id: "4c20f72c-0045-518c-8157-7dad5f196ecc"