sublimemediumRule

Mass campaign: Cross Site Scripting (XSS) attempt

Message subject or body contains Cross Site Scripting (XSS) indicators, and was sent to multiple unknown senders. Known spam technique.

MITRE ATT&CK

T1566.001 T1204.002 T1486 T1566 T1190 T1203 T1059 T1598

executioninitial-access

Detection Query

type.inbound
and (
  length(recipients.to) > 10
  and length(filter(recipients.to,
                    .email.domain.domain not in $org_domains
                    and .email.email not in $recipient_emails
                    and (
                      .email.domain.valid
                      or strings.icontains(.display_name, "undisclosed")
                    )
             )
  ) >= 10
)
and (
  strings.ilike(subject.subject,
                '*<*script*>*',
                '*xss.report*',
                '*eval(atob*',
                '*<*onload*>*',
                '*<*onerror*>*'
  )
  or strings.ilike(body.current_thread.text,
                   '*<*script*>*',
                   '*xss.report*',
                   '*eval(atob*',
                   '*<*onload*>*',
                   '*<*onerror*>*'
  )
)
and (
  length(body.links) == 0
  or (
    length(body.links) == 1
    and all(body.links, .href_url.domain.domain == "this.id")
  )
)
and profile.by_sender().prevalence != "common"
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Mass campaign: Cross Site Scripting (XSS) attempt"
description: "Message subject or body contains Cross Site Scripting (XSS) indicators, and was sent to multiple unknown senders. Known spam technique."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    length(recipients.to) > 10
    and length(filter(recipients.to,
                      .email.domain.domain not in $org_domains
                      and .email.email not in $recipient_emails
                      and (
                        .email.domain.valid
                        or strings.icontains(.display_name, "undisclosed")
                      )
               )
    ) >= 10
  )
  and (
    strings.ilike(subject.subject,
                  '*<*script*>*',
                  '*xss.report*',
                  '*eval(atob*',
                  '*<*onload*>*',
                  '*<*onerror*>*'
    )
    or strings.ilike(body.current_thread.text,
                     '*<*script*>*',
                     '*xss.report*',
                     '*eval(atob*',
                     '*<*onload*>*',
                     '*<*onerror*>*'
    )
  )
  and (
    length(body.links) == 0
    or (
      length(body.links) == 1
      and all(body.links, .href_url.domain.domain == "this.id")
    )
  )
  and profile.by_sender().prevalence != "common"
  and not profile.by_sender().solicited
  and not profile.by_sender().any_messages_benign
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and (
        any(distinct(headers.hops, .authentication_results.dmarc is not null),
            strings.ilike(.authentication_results.dmarc, "*fail")
        )
      )
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
  

attack_types:
  - "Malware/Ransomware"
  - "Spam"
tactics_and_techniques:
  - "Exploit"
  - "Free email provider"
  - "Scripting"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Sender analysis"
id: "6cbb7124-2e84-50a5-a707-cc26683bb42a"