← Back to Explore
sublimemediumRule
Credential phishing language and suspicious indicators (unknown sender)
Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.
Detection Query
type.inbound
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
// embedded in an image attachment
// note: don't use message_screenshot()
// because it's not limited to current_thread and may FP
or any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence == "high"
)
)
)
)
and 4 of (
// impersonation of the recipient's domain or email address
// in the subject to make it look more personalized
any(recipients.to,
(
strings.icontains(subject.subject, .email.local_part)
or strings.icontains(subject.subject, .email.domain.sld)
)
and (
.email.domain.valid or strings.icontains(.display_name, "undisclosed")
)
),
// recipient's email address in the body. this is not very uncommon
// for legit credential themed messages either
any(recipients.to,
(.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
and strings.icontains(body.current_thread.text, .email.email)
),
( // page contains turnstile captcha
any(body.links,
strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
'https://challenges.cloudflare.com/turnstile/',
)
)
),
(
// freemail providers should never be sending this type of email
sender.email.domain.domain in $free_email_providers
// if not freemail, it's suspicious if the sender's root domain
// doesn't match any links in the body
or (
length(body.links) > 0
and all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
)
)
),
strings.contains(body.current_thread.text,
"Your mailbox can no longer send or receive messages."
),
// link redirects to a suspicious TLD
any(body.links,
any(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.tld in $suspicious_tlds
)
),
(
// suspicious redirects
// 3 or more different domains with 2 or more different TLDs
// careful because click trackers will always make this at least 2
// different domains and not unlikely 2 or more TLDs
any(body.links,
length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.tld
)
)
) >= 2
and length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.domain
)
)
) >= 3
)
),
// maybe: any brand logo with high confidence
// maybe: recipients BCCd or undisclosed
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negating Google Calendar invites
and (
(
(
length(attachments) > 0
and not all(attachments,
.content_type in ("text/calendar", "application/ics")
)
)
and not (
any(distinct(headers.hops, .authentication_results.dmarc is null),
strings.ilike(.authentication_results.dmarc, "*pass")
and strings.ilike(.authentication_results.spf_details.designator,
"*calendar-server.bounces.google.com"
)
)
)
)
or length(attachments) == 0
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Credential phishing language and suspicious indicators (unknown sender)"
description: |
Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender.
type: "rule"
severity: "medium"
source: |
type.inbound
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
// embedded in an image attachment
// note: don't use message_screenshot()
// because it's not limited to current_thread and may FP
or any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence == "high"
)
)
)
)
and 4 of (
// impersonation of the recipient's domain or email address
// in the subject to make it look more personalized
any(recipients.to,
(
strings.icontains(subject.subject, .email.local_part)
or strings.icontains(subject.subject, .email.domain.sld)
)
and (
.email.domain.valid or strings.icontains(.display_name, "undisclosed")
)
),
// recipient's email address in the body. this is not very uncommon
// for legit credential themed messages either
any(recipients.to,
(.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
and strings.icontains(body.current_thread.text, .email.email)
),
( // page contains turnstile captcha
any(body.links,
strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
'https://challenges.cloudflare.com/turnstile/',
)
)
),
(
// freemail providers should never be sending this type of email
sender.email.domain.domain in $free_email_providers
// if not freemail, it's suspicious if the sender's root domain
// doesn't match any links in the body
or (
length(body.links) > 0
and all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
)
)
),
strings.contains(body.current_thread.text,
"Your mailbox can no longer send or receive messages."
),
// link redirects to a suspicious TLD
any(body.links,
any(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.tld in $suspicious_tlds
)
),
(
// suspicious redirects
// 3 or more different domains with 2 or more different TLDs
// careful because click trackers will always make this at least 2
// different domains and not unlikely 2 or more TLDs
any(body.links,
length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.tld
)
)
) >= 2
and length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.domain
)
)
) >= 3
)
),
// maybe: any brand logo with high confidence
// maybe: recipients BCCd or undisclosed
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negating Google Calendar invites
and (
(
(
length(attachments) > 0
and not all(attachments,
.content_type in ("text/calendar", "application/ics")
)
)
and not (
any(distinct(headers.hops, .authentication_results.dmarc is null),
strings.ilike(.authentication_results.dmarc, "*pass")
and strings.ilike(.authentication_results.spf_details.designator,
"*calendar-server.bounces.google.com"
)
)
)
)
or length(attachments) == 0
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free email provider"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Sender analysis"
- "URL analysis"
id: "89c186f7-8c8d-55db-8b6f-da6ead587b1d"