EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Credential phishing: Financial lure via ActiveCampaign infrastructure

Detects inbound phishing messages sent via ActiveCampaign using identifiable infrastructure fingerprints and hidden boilerplate text. Covers a wide range of lure themes including credit cards, loans, deposits, account updates, and vague document or verification prompts. Requires NLU Financial Communications topic classification.

MITRE ATT&CK

T1566T1566.001T1566.002T1598
initial-access

Detection Query

type.inbound
and strings.contains(headers.mailer, "ActiveCampaign")
and (
  strings.ilike(body.current_thread.text,
                "*Piratini*",
                "*45.405.898/0001-16*",
                "*Cancelar inscri*",
                "*Matem?tica Genial*"
  )
  or strings.ilike(body.html.raw,
                   "*belonging to Spun*",
                   "*affiliated with Spun*"
  )
)
and (
  length(html.xpath(body.html,
                    '//*[contains(@style, "background") and contains(@style, "padding")] | //a[contains(@class, "es-button")]'
         ).nodes
  ) > 0
  or length(html.xpath(body.html, '//a/img').nodes) > 0
)
and ml.nlu_classifier(body.current_thread.text).language == "english"
and not any(ml.nlu_classifier(body.current_thread.text).topics,
            .name in ("Health and Wellness", "Entertainment and Sports")
            and .confidence == "high"
)
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Credential phishing: Financial lure via ActiveCampaign infrastructure"
description: "Detects inbound phishing messages sent via ActiveCampaign using identifiable infrastructure fingerprints and hidden boilerplate text. Covers a wide range of lure themes including credit cards, loans, deposits, account updates, and vague document or verification prompts. Requires NLU Financial Communications topic classification."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and strings.contains(headers.mailer, "ActiveCampaign")
  and (
    strings.ilike(body.current_thread.text,
                  "*Piratini*",
                  "*45.405.898/0001-16*",
                  "*Cancelar inscri*",
                  "*Matem?tica Genial*"
    )
    or strings.ilike(body.html.raw,
                     "*belonging to Spun*",
                     "*affiliated with Spun*"
    )
  )
  and (
    length(html.xpath(body.html,
                      '//*[contains(@style, "background") and contains(@style, "padding")] | //a[contains(@class, "es-button")]'
           ).nodes
    ) > 0
    or length(html.xpath(body.html, '//a/img').nodes) > 0
  )
  and ml.nlu_classifier(body.current_thread.text).language == "english"
  and not any(ml.nlu_classifier(body.current_thread.text).topics,
              .name in ("Health and Wellness", "Entertainment and Sports")
              and .confidence == "high"
  )
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "8b18a6eb-fc61-55d0-be68-c397bddfa3bd"