← Back to Explore
sublimehighRule
Fake email quarantine notification
Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages.
Detection Query
type.inbound
and length(body.links) < 10
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
or (
length(body.current_thread.text) < 250
and any(recipients.to,
strings.icontains(body.current_thread.text, .email.domain.sld)
or strings.icontains(body.current_thread.text, .email.local_part)
)
)
)
and not (
length(ml.nlu_classifier(body.current_thread.text).topics) == 1
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Financial Communications" and .confidence != "low"
)
)
and 3 of (
strings.ilike(body.current_thread.text, "*review*"),
strings.ilike(body.current_thread.text, "*incoming*"),
strings.ilike(body.current_thread.text, "*release*"),
strings.ilike(body.current_thread.text, "*quarantine*"),
strings.ilike(body.current_thread.text, "*messages*"),
strings.ilike(body.current_thread.text, "*server error*"),
strings.ilike(body.current_thread.text, "*blocked*"),
strings.ilike(body.current_thread.text, "*prevented*"),
strings.ilike(body.current_thread.text, "*validation*"),
strings.ilike(body.current_thread.text, "*notification*"),
strings.ilike(body.current_thread.text, "*kindly*"),
strings.ilike(body.current_thread.text, "*on hold*"),
strings.ilike(body.current_thread.text, "*held*"),
strings.ilike(body.current_thread.text, "*pending*"),
strings.ilike(body.current_thread.text, "*stuck*"),
strings.like(body.current_thread.text, "* MX *")
)
and (
any(body.links,
regex.icontains(.display_text,
"view",
"release",
"message",
"delete",
"recover",
"SSO",
"sign in"
)
)
or (
length(body.links) < 3
and any(body.links,
any(recipients.to,
.email.domain.root_domain == ..display_url.domain.root_domain
and ..mismatched
)
)
)
)
and not any(body.links,
regex.icontains(.display_text,
"view document",
"review (&|and) sign document"
)
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"office365.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com",
"ppops.net"
)
// negate org domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $org_domains
and (
not headers.auth_summary.dmarc.pass
// MS quarantine digest emails from an org domain are router "internally" to MS, therefore, there is no authentication information
or not (
headers.auth_summary.dmarc.pass is null
and all(headers.domains,
.root_domain in ("outlook.com", "office365.com")
)
// typical emails from freemail Outlook accounts are from prod.outlook.com
and strings.ends_with(headers.message_id, "protection.outlook.com>")
)
)
)
or sender.email.domain.root_domain not in $org_domains
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Fake email quarantine notification"
description: "Detects phishing messages implying that emails have been delayed or blocked, prompting users to view, release, or delete pending messages."
type: "rule"
severity: "high"
source: |
type.inbound
and length(body.links) < 10
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
or (
length(body.current_thread.text) < 250
and any(recipients.to,
strings.icontains(body.current_thread.text, .email.domain.sld)
or strings.icontains(body.current_thread.text, .email.local_part)
)
)
)
and not (
length(ml.nlu_classifier(body.current_thread.text).topics) == 1
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Financial Communications" and .confidence != "low"
)
)
and 3 of (
strings.ilike(body.current_thread.text, "*review*"),
strings.ilike(body.current_thread.text, "*incoming*"),
strings.ilike(body.current_thread.text, "*release*"),
strings.ilike(body.current_thread.text, "*quarantine*"),
strings.ilike(body.current_thread.text, "*messages*"),
strings.ilike(body.current_thread.text, "*server error*"),
strings.ilike(body.current_thread.text, "*blocked*"),
strings.ilike(body.current_thread.text, "*prevented*"),
strings.ilike(body.current_thread.text, "*validation*"),
strings.ilike(body.current_thread.text, "*notification*"),
strings.ilike(body.current_thread.text, "*kindly*"),
strings.ilike(body.current_thread.text, "*on hold*"),
strings.ilike(body.current_thread.text, "*held*"),
strings.ilike(body.current_thread.text, "*pending*"),
strings.ilike(body.current_thread.text, "*stuck*"),
strings.like(body.current_thread.text, "* MX *")
)
and (
any(body.links,
regex.icontains(.display_text,
"view",
"release",
"message",
"delete",
"recover",
"SSO",
"sign in"
)
)
or (
length(body.links) < 3
and any(body.links,
any(recipients.to,
.email.domain.root_domain == ..display_url.domain.root_domain
and ..mismatched
)
)
)
)
and not any(body.links,
regex.icontains(.display_text,
"view document",
"review (&|and) sign document"
)
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"office365.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com",
"ppops.net"
)
// negate org domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $org_domains
and (
not headers.auth_summary.dmarc.pass
// MS quarantine digest emails from an org domain are router "internally" to MS, therefore, there is no authentication information
or not (
headers.auth_summary.dmarc.pass is null
and all(headers.domains,
.root_domain in ("outlook.com", "office365.com")
)
// typical emails from freemail Outlook accounts are from prod.outlook.com
and strings.ends_with(headers.message_id, "protection.outlook.com>")
)
)
)
or sender.email.domain.root_domain not in $org_domains
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
detection_methods:
- "Content analysis"
- "Natural Language Understanding"
- "Sender analysis"
id: "73f26a3d-b7a5-5b85-83e6-45f1b40f78fb"