sublimemediumRule

Impersonation Link: Cloud branding service with credential theft language

Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji or Cloud+ text, contains links to external domains not matching the sender's domain, and lacks recipient identification entities.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598

initial-access

Detection Query

type.inbound
and (
  any([body.current_thread.text, body.html.inner_text],
      strings.starts_with(., 'Cloud') or strings.icontains(., "Cloud+ ")
  )
  // cloud emoji
  or regex.contains(body.current_thread.text, '^\x{2601}')
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == 'cred_theft' and .confidence == 'high'
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
        .name in (
          'File Sharing and Cloud Services',
          'Payment Information',
          'Financial Communications'
        )
        and .confidence != 'low'
)
// sender domain matches no body domains
and length(filter(body.links,
                  .href_url.scheme != 'mailto'
                  and .href_url.domain.root_domain is not null
                  and .href_url.domain.root_domain != 'oracle.com'
           )
) > 0
and all(filter(body.links,
               .href_url.scheme != 'mailto'
               and .href_url.domain.root_domain is not null
        ),
        .href_url.domain.root_domain != coalesce(sender.email.domain.root_domain,
                                                 ""
        )
)
// negate legit cloud companies
and not (
  coalesce(sender.email.domain.root_domain, "") in (
    "cloud-cme.com",
    "cloudcounting.online",
    "cloudhealthtech.com",
    "cloudpano.com"
  )
  // check for SPF or DMARC passed
  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)
// negate Spark Cloud Attachments
and not any(headers.hops,
            .index == 0
            and any(.fields,
                    .name == "X-Readdle-Spark-Cloud-Attachment"
                    and .value is not null
            )
)
and not (
  sender.email.email == "noreply@icloud.com.cn"
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Impersonation Link: Cloud branding service with credential theft language"
description: "Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji or Cloud+ text, contains links to external domains not matching the sender's domain, and lacks recipient identification entities."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    any([body.current_thread.text, body.html.inner_text],
        strings.starts_with(., 'Cloud') or strings.icontains(., "Cloud+ ")
    )
    // cloud emoji
    or regex.contains(body.current_thread.text, '^\x{2601}')
  )
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == 'cred_theft' and .confidence == 'high'
  )
  and any(ml.nlu_classifier(body.current_thread.text).topics,
          .name in (
            'File Sharing and Cloud Services',
            'Payment Information',
            'Financial Communications'
          )
          and .confidence != 'low'
  )
  // sender domain matches no body domains
  and length(filter(body.links,
                    .href_url.scheme != 'mailto'
                    and .href_url.domain.root_domain is not null
                    and .href_url.domain.root_domain != 'oracle.com'
             )
  ) > 0
  and all(filter(body.links,
                 .href_url.scheme != 'mailto'
                 and .href_url.domain.root_domain is not null
          ),
          .href_url.domain.root_domain != coalesce(sender.email.domain.root_domain,
                                                   ""
          )
  )
  // negate legit cloud companies
  and not (
    coalesce(sender.email.domain.root_domain, "") in (
      "cloud-cme.com",
      "cloudcounting.online",
      "cloudhealthtech.com",
      "cloudpano.com"
    )
    // check for SPF or DMARC passed
    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
  )
  // negate highly trusted sender domains unless they fail DMARC authentication
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
  // negate Spark Cloud Attachments
  and not any(headers.hops,
              .index == 0
              and any(.fields,
                      .name == "X-Readdle-Spark-Cloud-Attachment"
                      and .value is not null
              )
  )
  and not (
    sender.email.email == "noreply@icloud.com.cn"
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
  - "URL analysis"
id: "5f1395a6-e2ae-5175-ad29-5f35111219fd"