← Back to Explore
sublimemediumRule
Credential phishing: 'Secure message' and engaging language
Body contains language resembling credential theft, and a "secure message" from an untrusted sender.
Detection Query
type.inbound
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)
// ----- other suspicious signals here -----
and (
(
regex.icontains(body.current_thread.text,
"secured? (message|directory|document)"
)
or strings.icontains(body.current_thread.text, "document portal")
or strings.icontains(body.current_thread.text, "encrypted message")
or strings.icontains(body.current_thread.text, "protected message")
)
or any(body.previous_threads,
regex.icontains(.text, "secured? (message|directory|document)")
or strings.icontains(.text, "document portal")
or strings.icontains(.text, "encrypted message")
or strings.icontains(.text, "protected message")
)
)
// todo: automated display name / human local part
// todo: suspicious link (unfurl click trackers)
// ----------
// has at least 1 link
and length(body.links) > 0
// negate legitimate message senders
and (
sender.email.domain.root_domain not in ("protectedtrust.com")
and any(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
)
// negate known secure mailers
and not all(body.links,
.href_url.domain.root_domain in (
"mimecast.com",
"cisco.com",
"csiesafe.com"
)
)
and any(headers.hops,
.index == 0
and not any(.fields,
strings.contains(.value,
'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
)
)
)
and not (
length(filter(attachments,
strings.ilike(.file_name,
"logo.*",
"lock.gif",
"SecureMessageAtt.html"
)
)
) == 3
and any(attachments,
.file_type == "html"
and any(file.explode(.),
.scan.html.title == "Proofpoint Encryption"
and any(.scan.url.urls,
strings.iends_with(.path,
'formpostdir/safeformpost.aspx'
)
)
)
and strings.count(file.parse_html(.).raw, 'name="msg') > 3
)
)
and not (
any(headers.hops,
any(.fields,
.name in (
'X-ZixNet',
'X-VPM-MIV',
'X-VPM-ActionCode',
'X-VPM-SmtpTo'
)
)
)
and any(headers.domains,
.root_domain in (
"zixport.com",
"zixcorp.com",
"zixmail.net",
"zixworks.com"
)
)
)
and not (
any(headers.hops, any(.fields, .name == 'X-SendInc-Message-Id'))
and any(headers.domains, .root_domain in ("sendinc.net"))
)
// negating Mimecast sends with MS banner and/or sender's email pulled out as a link
and not length(filter(body.links,
(
.display_text is null
and .display_url.url == sender.email.domain.root_domain
)
or .href_url.domain.root_domain in (
"aka.ms",
"mimecast.com",
"cisco.com"
)
)
) == length(body.links)
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
// or the sender is all undisclosed or there are no recipients
or (
length(recipients.to) == 0
or all(recipients.to,
strings.ilike(.display_name, "undisclosed?recipients")
)
)
// or the sender exhibits a "self sender" pattern
or (
length(recipients.to) == 1
and any(recipients.to, .email.email == sender.email.email)
)
)
and not profile.by_sender().any_messages_benign
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Credential phishing: 'Secure message' and engaging language"
description: |
Body contains language resembling credential theft, and a "secure message" from an untrusted sender.
type: "rule"
severity: "medium"
source: |
type.inbound
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)
// ----- other suspicious signals here -----
and (
(
regex.icontains(body.current_thread.text,
"secured? (message|directory|document)"
)
or strings.icontains(body.current_thread.text, "document portal")
or strings.icontains(body.current_thread.text, "encrypted message")
or strings.icontains(body.current_thread.text, "protected message")
)
or any(body.previous_threads,
regex.icontains(.text, "secured? (message|directory|document)")
or strings.icontains(.text, "document portal")
or strings.icontains(.text, "encrypted message")
or strings.icontains(.text, "protected message")
)
)
// todo: automated display name / human local part
// todo: suspicious link (unfurl click trackers)
// ----------
// has at least 1 link
and length(body.links) > 0
// negate legitimate message senders
and (
sender.email.domain.root_domain not in ("protectedtrust.com")
and any(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
)
// negate known secure mailers
and not all(body.links,
.href_url.domain.root_domain in (
"mimecast.com",
"cisco.com",
"csiesafe.com"
)
)
and any(headers.hops,
.index == 0
and not any(.fields,
strings.contains(.value,
'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
)
)
)
and not (
length(filter(attachments,
strings.ilike(.file_name,
"logo.*",
"lock.gif",
"SecureMessageAtt.html"
)
)
) == 3
and any(attachments,
.file_type == "html"
and any(file.explode(.),
.scan.html.title == "Proofpoint Encryption"
and any(.scan.url.urls,
strings.iends_with(.path,
'formpostdir/safeformpost.aspx'
)
)
)
and strings.count(file.parse_html(.).raw, 'name="msg') > 3
)
)
and not (
any(headers.hops,
any(.fields,
.name in (
'X-ZixNet',
'X-VPM-MIV',
'X-VPM-ActionCode',
'X-VPM-SmtpTo'
)
)
)
and any(headers.domains,
.root_domain in (
"zixport.com",
"zixcorp.com",
"zixmail.net",
"zixworks.com"
)
)
)
and not (
any(headers.hops, any(.fields, .name == 'X-SendInc-Message-Id'))
and any(headers.domains, .root_domain in ("sendinc.net"))
)
// negating Mimecast sends with MS banner and/or sender's email pulled out as a link
and not length(filter(body.links,
(
.display_text is null
and .display_url.url == sender.email.domain.root_domain
)
or .href_url.domain.root_domain in (
"aka.ms",
"mimecast.com",
"cisco.com"
)
)
) == length(body.links)
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
// or the sender is all undisclosed or there are no recipients
or (
length(recipients.to) == 0
or all(recipients.to,
strings.ilike(.display_name, "undisclosed?recipients")
)
)
// or the sender exhibits a "self sender" pattern
or (
length(recipients.to) == 1
and any(recipients.to, .email.email == sender.email.email)
)
)
and not profile.by_sender().any_messages_benign
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
detection_methods:
- "Natural Language Understanding"
- "Sender analysis"
id: "bd95a7b1-dc96-53c1-bb7c-3a0f98b04744"