Suspicious recipients pattern with NLU credential theft indicators

name: "Suspicious recipients pattern with NLU credential theft indicators"
description: "Detects messages with undisclosed recipients (likely all bcc) and NLU identified a credential theft intent with medium to high confidence from a suspicious low reputation link domain"
type: "rule"
severity: "medium"
source: |
  type.inbound
  and (
    length(recipients.to) == 0
    or all(recipients.to, strings.ilike(.display_name, "undisclosed?recipients"))
  )
  and length(recipients.cc) == 0
  and 0 <= length(recipients.bcc) <= 1
  and any(body.links, .href_url.domain.root_domain not in $tranco_1m)
  and (
    any(body.links,
        regex.icontains(.display_text,
                        '(view|click|download|goto)?(attachment|download|file|online|document)s?'
        )
        or all(body.links, regex.match(.display_text, "[A-Z ]+"))
    )
  )
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name in ("cred_theft") and .confidence in ("medium", "high")
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "URL analysis"
id: "8e121c3e-b9cf-5aa3-b799-e025a69b7d8c"