Service abuse: AppSheet infrastructure with suspicious indicators

name: "Service abuse: AppSheet infrastructure with suspicious indicators"
description: "Identifies messages that resemble credential theft, originating from AppSheet. AppSheet infrastrcture abuse has been observed recently to send phishing attacks."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and sender.email.email == "noreply@appsheet.com"
  and (
    // recently registered or suspicious links
    (
      any(filter(body.links, .href_url.domain.root_domain != "appsheet.com"),
          network.whois(.href_url.domain).days_old <= 10
          or .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.domain in $free_subdomain_hosts
          or .href_url.domain.root_domain in $url_shorteners
          // account for URL rewrites
          or (
            any(.href_url.query_params_decoded['domain'],
                (
                  . in $url_shorteners
                  or . in $free_subdomain_hosts
                  or . in $free_file_hosts
                )
            )
          )
      )
    )
    // suspicious display name
    or (
      regex.icontains(sender.display_name,
                      '(?:legal|misuse|compliance|violation|enforcement)',
                      // unicode blank character confusables in display name
                      '\x{00A0}|\x{1680}|\x{2000}|\x{200A}|\x{200B}|\x{202F}|\x{205F}|\x{3000}'
      )
      // commonly impersonated brands
      or strings.ilike(strings.replace_confusables(sender.display_name),
                       '*Apple*',
                       '*Amazon*',
                       '*Binance*',
                       '*Facebook*',
                       '*Meta*',
                       '*Google*',
                       '*LinkedIn*'
      )
    )
    // suspicious pattern in body
    or regex.icontains(body.current_thread.text,
                       '(?:(Copyright|Advertising|Content|Data|Intellectual Property|I\.?\s?P\.?\b) (?:Polic(y|ies))|Violation|Contravention|Complaint|Misuse)|(?:(Enforce(ment)?|Required|Mandatory|Immediate) (?:Action|Response))|Cease (\&|and) Desist'
    )
    // NLU failsafe
    or (
      any(ml.nlu_classifier(body.current_thread.text).intents,
          .name in~ ("cred_theft", "steal_pii", "job_scam")
          and .confidence in~ ("medium", "high")
      )
      // negate the NLU result if there is only a single link leading back to AppSheet (likely benign)
      and not (
        length(body.links) == 1
        and any(body.links,
                .display_text == "Powered by AppSheet"
                and .href_url.domain.root_domain == "appsheet.com"
        )
      )
    )
  )
  // negate legitimate use of AppSheet within the org
  and not (
    length(headers.reply_to) is not null
    and any(filter(headers.reply_to, .email.domain.root_domain != "appsheet.com"),
            .email.domain.root_domain in~ $org_domains
            or .email.domain.root_domain in~ $recipient_domains
    )
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "URL analysis"
  - "Whois"
id: "5937646a-60b0-5b86-9df0-94c8d18aa774"