← Back to Explore
sublimemediumRule
Xero infrastructure abuse
Identifies messages that resemble credential theft, originating from Xero. Xero infrastrcture abuse has been observed recently to send phishing attacks.
Detection Query
type.inbound
and sender.email.email == "messaging-service@post.xero.com"
and
// there are external links (not org or xero domains)
length(filter(body.links,
.href_url.domain.domain not in $org_domains
and .href_url.domain.root_domain not in ("xero.com", )
)
) > 0
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
// subject match when cred_theft doesn't match
// high confidence observed subject intros in the format of "Urgent Thing: ..."
or regex.icontains(subject.subject,
'^(?:(?:Final|Last)?\s*Warning|(?:Final|Last|Legal|Critical|Content Violation)?\s*(?:Alert|Noti(?:ce|fication))|Appeal Required|Time.Sensitive|Critical.Alert|Important|Copyright Issue)\s*:\s*'
)
or any(ml.logo_detect(file.message_screenshot()).brands,
.name in ("Facebook", "Meta", "Instagram")
and .confidence in ("medium", "high")
)
// any of the links are for newly registered domains
or any(filter(body.links,
.href_url.domain.domain not in $org_domains
and .href_url.domain.root_domain not in ("xero.com")
),
network.whois(.href_url.domain).days_old < 30
)
or (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("B2B Cold Outreach", "Professional and Career Development")
and .confidence != "low"
)
)
// sender display name or subject contains confusables
or (
sender.display_name != strings.replace_confusables(sender.display_name)
or subject.subject != strings.replace_confusables(subject.subject)
)
// IP pool appears to be tagged by Xero via Mailgun
// https://help.mailgun.com/hc/en-us/articles/360052184214-IP-Pools
or any(headers.hops,
any(.fields,
.name == "X-Mailgun-Sending-Ip-Pool-Name"
and .value == "High Risk Pool"
)
)
)
and (
( // sender domain matches no body domains
length(body.links) > 0
and all(body.links,
.href_url.domain.root_domain not in ("xero.com", )
or .href_url.domain.root_domain is null
)
)
// link contains email address
or any(recipients.to,
.email.domain.valid
and any(body.links,
strings.icontains(.href_url.url, ..email.email)
or any(beta.scan_base64(.href_url.url,
format="url",
ignore_padding=true
),
strings.icontains(., ...email.email)
)
or any(beta.scan_base64(.href_url.fragment,
ignore_padding=true
),
strings.icontains(., ...email.email)
)
// cloudflare turnstile or phishing warning page
or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
"cloudflare"
)
)
)
or regex.icontains(subject.subject, "termination.*notice")
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("sender", "org")
and regex.icontains(.text, 'Recruitment|staffing|\bhr\b')
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Xero infrastructure abuse"
description: "Identifies messages that resemble credential theft, originating from Xero. Xero infrastrcture abuse has been observed recently to send phishing attacks."
type: "rule"
severity: "medium"
source: |
type.inbound
and sender.email.email == "messaging-service@post.xero.com"
and
// there are external links (not org or xero domains)
length(filter(body.links,
.href_url.domain.domain not in $org_domains
and .href_url.domain.root_domain not in ("xero.com", )
)
) > 0
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
// subject match when cred_theft doesn't match
// high confidence observed subject intros in the format of "Urgent Thing: ..."
or regex.icontains(subject.subject,
'^(?:(?:Final|Last)?\s*Warning|(?:Final|Last|Legal|Critical|Content Violation)?\s*(?:Alert|Noti(?:ce|fication))|Appeal Required|Time.Sensitive|Critical.Alert|Important|Copyright Issue)\s*:\s*'
)
or any(ml.logo_detect(file.message_screenshot()).brands,
.name in ("Facebook", "Meta", "Instagram")
and .confidence in ("medium", "high")
)
// any of the links are for newly registered domains
or any(filter(body.links,
.href_url.domain.domain not in $org_domains
and .href_url.domain.root_domain not in ("xero.com")
),
network.whois(.href_url.domain).days_old < 30
)
or (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("B2B Cold Outreach", "Professional and Career Development")
and .confidence != "low"
)
)
// sender display name or subject contains confusables
or (
sender.display_name != strings.replace_confusables(sender.display_name)
or subject.subject != strings.replace_confusables(subject.subject)
)
// IP pool appears to be tagged by Xero via Mailgun
// https://help.mailgun.com/hc/en-us/articles/360052184214-IP-Pools
or any(headers.hops,
any(.fields,
.name == "X-Mailgun-Sending-Ip-Pool-Name"
and .value == "High Risk Pool"
)
)
)
and (
( // sender domain matches no body domains
length(body.links) > 0
and all(body.links,
.href_url.domain.root_domain not in ("xero.com", )
or .href_url.domain.root_domain is null
)
)
// link contains email address
or any(recipients.to,
.email.domain.valid
and any(body.links,
strings.icontains(.href_url.url, ..email.email)
or any(beta.scan_base64(.href_url.url,
format="url",
ignore_padding=true
),
strings.icontains(., ...email.email)
)
or any(beta.scan_base64(.href_url.fragment,
ignore_padding=true
),
strings.icontains(., ...email.email)
)
// cloudflare turnstile or phishing warning page
or strings.icontains(ml.link_analysis(., mode="aggressive").final_dom.display_text,
"cloudflare"
)
)
)
or regex.icontains(subject.subject, "termination.*notice")
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name in ("sender", "org")
and regex.icontains(.text, 'Recruitment|staffing|\bhr\b')
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Natural Language Understanding"
- "URL analysis"
id: "918c4bd3-987f-5f69-bb46-9465a0b87837"