← Back to Explore
sublimemediumRule
Credential phishing: Engaging language and other indicators (untrusted sender)
Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.
Detection Query
type.inbound
and (
regex.icontains(subject.subject,
"termination.*notice",
"38417",
":completed",
"[il1]{2}mit.*ma[il1]{2} ?bo?x",
"[il][il][il]egai[ -]",
"[li][li][li]ega[li] attempt",
"[ng]-?[io]n .*block",
"[ng]-?[io]n .*cancel",
"[ng]-?[io]n .*deactiv",
"[ng]-?[io]n .*disabl",
"action.*required",
"abandon.*package",
"about.your.account",
"acc(ou)?n?t (is )?on ho[li]d",
"acc(ou)?n?t.*terminat",
"acc(oun)?t.*[il1]{2}mitation",
"access.*limitation",
"account (will be )?block",
"account.*de-?activat",
"account.*locked",
"account.*re-verification",
"account.*security",
"account.*suspension",
"account.has.expired",
"account.will.be.blocked",
"account v[il]o[li]at",
"activity.*acc(oun)?t",
"almost.full",
"app[li]e.[il]d",
"authenticate.*account",
"been.*suspend",
"crediential.*notif",
"clos.*of.*account.*processed",
"confirm.your.account",
"courier.*able",
"crediential.*notif",
"deactivation.*in.*progress",
"delivery.*attempt.*failed",
"disconnection.*notice",
"document.received",
"documented.*shared.*with.*you",
"dropbox.*document",
"e-?ma[il1]+ .{010}suspen",
"e-?ma[il1]{1} user",
"e-?ma[il1]{2} acc",
"e-?ma[il1]{2} preview",
"e-?ma[il1]{2}.*up.?grade",
"e.?ma[il1]{2}.*server",
"e.?ma[il1]{2}.*suspend",
"email.update",
"faxed you",
"fraud(ulent)?.*charge",
"from.helpdesk",
"fu[il1]{2}.*ma[il1]+[ -]?box",
"has.been.*suspended",
"has.been.limited",
"have.locked",
"he[li]p ?desk upgrade",
"heipdesk",
"i[il]iega[il]",
"ii[il]ega[il]",
"incoming e?mail",
"incoming.*fax",
"lock.*security",
"ma[il1]{1}[ -]?box.*quo",
"ma[il1]{2}[ -]?box.*fu[il1]",
"ma[il1]{2}box.*[il1]{2}mit",
"ma[il1]{2}box stor",
"mail on.?hold",
"mail.*box.*migration",
"mail.*de-?activat",
"mail.update.required",
"mails.*pending",
"messages.*pending",
"missed.*shipping.*notification",
"missed.shipment.notification",
"must.update.your.account",
"new [sl][io]g?[nig][ -]?in from",
"new voice ?-?mail",
"notifications.*pending",
"office.*3.*6.*5.*suspend",
"office365",
"on google docs with you",
"online doc",
"password.*compromised",
"(?:payroll|salary|bonus).*Distribution",
"periodic maintenance",
"potential(ly)? unauthorized",
"refund not approved",
"report",
"revised.*policy",
"scam",
"scanned.?invoice",
"secured?.update",
"security breach",
"securlty",
"signed.*delivery",
"status of your .{314}? ?delivery",
"susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
"suspicious.*sign.*[io]n",
"suspicious.activit",
"temporar(il)?y deactivate",
"temporar[il1]{2}y disab[li]ed",
"temporarily.*lock",
"un-?usua[li].activity",
"unable.*deliver",
"unauthorized.*activit",
"unauthorized.device",
"undelivered message",
"unread.*doc",
"unusual.activity",
"(?:unrecognized|Unusual|suspicious|unknown) (?:log|sign).?[io]n attempt",
"upgrade.*account",
"upgrade.notice",
"urgent message",
"urgent.verification",
"v[il1]o[li1]at[il1]on security",
"va[il1]{1}date.*ma[il1]{2}[ -]?box",
"verification ?-?require",
"verification( )?-?need",
"verify.your?.account",
"web ?-?ma[il1]{2}",
"web[ -]?ma[il1]{2}",
"will.be.suspended",
"your (customer )?account .as",
"your.office.365",
"your.online.access",
"de.activation",
// https://github.com/sublime-security/static-files/blob/main/suspicious_subjects.txt
"account has been limited",
"action required",
"almost full",
"apd notifi cation",
"are you at your desk",
"are you available",
"attached file to docusign",
"banking is temporarily unavailable",
"bankofamerica",
"closing statement invoice",
"completed: docusign",
"de-activation of",
"delivery attempt",
"delivery stopped for shipment",
"detected suspicious",
"detected suspicious actvity",
"docu sign",
"document for you",
"document has been sent to you via docusign",
"document is ready for signature",
"docusign",
"encrypted message",
"failed delivery",
"fedex tracking",
"file was shared",
"freefax",
"fwd: due invoice paid",
"has shared",
"inbox is full",
"invitation to comment",
"invitation to edit",
"invoice due",
"left you a message",
"message from",
"new message",
"new voicemail",
"on desk",
"out of space",
"password reset",
"payment status",
"pay notification",
"quick reply",
"re: w-2",
"required",
"required: completed docusign",
"remittance",
"ringcentral",
"scanned image",
"secured files",
"secured pdf",
"security alert",
"new sign-in",
"new sign in",
"sign-in attempt",
"sign in attempt",
"staff review",
"suspicious activity",
"unrecognized login attempt",
"unusual signin",
"upgrade immediately",
"urgent",
"wants to share",
"w2",
"you have notifications pending",
"your account",
"your amazon order",
"your document settlement",
"your order with amazon",
"your password has been compromised",
)
or (
regex.icontains(subject.subject, 'account.has.been')
and not regex.icontains(subject.subject, 'account.has.been.*created')
)
or (
regex.icontains(sender.display_name,
"Admin",
"Administrator",
"Alert",
"Assistant",
"Authenticat(or|ion)",
"Billing",
"Benefits",
"Bonus",
"CEO",
"CFO",
"CIO",
"CTO",
"Chairman",
"Claim",
"Confirm",
"Cpanel Mail",
"Critical",
"Customer Service",
"Deal",
"Discount",
"Director",
"Exclusive",
"Executive",
"Fax",
"Free",
"Gift",
'\bHR\b',
"Helpdesk",
"Human Resources",
"Immediate",
"Important",
"Info",
"Information",
"Invoice",
'\bIT\b',
'\bLegal\b',
"Lottery",
"Management",
"Manager",
"Member Services",
"Notification",
"Offer",
"Official Communication",
"Operations",
"Order",
"Partner",
"Payment",
"Payroll",
"Postmaster",
"President",
"Premium",
"Prize",
"Receipt",
"Refund",
"Registrar",
"Required",
"Reward",
"Sales",
"Secretary",
"Security",
"Server",
"Service",
"Storage",
"Support",
"Sweepstakes",
"System",
"Tax",
"Tech Support",
"Update",
"Upgrade",
"Urgent",
"Validate",
"Verify",
"VIP",
"Webmaster",
"Winner",
)
// add negation for common FPs in the sender display_name
and not strings.icontains(sender.display_name, "service bulletin")
and not strings.icontains(sender.display_name, "automotive service")
)
)
and (
4 of (
any(recipients.to,
.email.domain.valid
and (
strings.icontains(body.current_thread.text, .email.email)
or strings.icontains(body.current_thread.text, .email.local_part)
)
),
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
),
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
),
// recipient email address base64 encoded in link
any(body.links,
any(recipients.to,
any(beta.scan_base64(..href_url.url,
ignore_padding=true,
format="url"
),
strings.icontains(., ..email.email)
)
)
),
(
// freemail providers should never be sending this type of email
sender.email.domain.domain in $free_email_providers
// if not freemail, it's suspicious if the sender's root domain
// doesn't match any links in the body
or all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
and (
.href_url.domain.root_domain not in $org_domains
// ignore recipient email addresses in the body in relation to this check
or (
.href_url.domain.root_domain in $org_domains
and any(recipients.to,
strings.icount(body.current_thread.text, .email.email) == strings.icount(body.current_thread.text,
.email.domain.domain
)
)
)
)
)
// bulk mailers should also never be sending this type of email
or all(filter(body.links,
.href_url.domain.domain not in (
"aka.ms",
"mimecast.com",
"mimecastprotect.com",
"cisco.com"
)
),
.href_url.domain.root_domain in $bulk_mailer_url_root_domains
)
),
// in case it's embedded in an image attachment
// note: don't use message_screenshot() because it's not limited to current_thread
// and may FP
any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence == "high"
)
)
),
strings.contains(body.current_thread.text,
"Your mailbox can no longer send or receive messages."
),
any(body.links,
strings.icontains(.href_url.query_params, 'redirect')
or any(.href_url.rewrite.encoders,
strings.icontains(., "open_redirect")
)
),
// multiple entities displaying urgency
length(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency"
)
) >= 2
// and any body links
and any(body.links,
// display text contains a request
any(ml.nlu_classifier(.display_text).entities, .name == "request")
),
any(body.links,
// display text contains a request
(
any(ml.nlu_classifier(.display_text).entities, .name == "request")
or regex.match(.display_text, '^[^a-z]+$')
)
and (
.href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.root_domain in $social_landing_hosts
or .href_url.domain.domain in $free_file_hosts
or (
.href_url.domain.root_domain in (
"mimecast.com",
"mimecastprotect.com"
)
and any(.href_url.query_params_decoded['domain'],
strings.parse_url(strings.concat("https://", .)).domain.domain in $url_shorteners
or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $url_shorteners
or strings.parse_url(strings.concat("https://", .)).domain.domain in $free_file_hosts
or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $free_subdomain_hosts
or strings.parse_url(strings.concat("https://", .)).domain.domain in $social_landing_hosts
or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $social_landing_hosts
)
)
)
),
// common greetings via email.local_part
any(recipients.to,
length(.email.local_part) > 2
and
// use count to ensure the email address is not part of a disclaimer
strings.icount(body.current_thread.text, .email.local_part) >
// sum allows us to add more logic as needed
strings.icount(body.current_thread.text,
strings.concat('was sent to ', .email.email)
) + strings.icount(body.current_thread.text,
strings.concat('intended for ', .email.email)
)
)
)
or (
(
// recipient's email address is in the body
any(recipients.to,
// use count to ensure the email address is not part of a disclaimer
strings.icount(body.current_thread.text, .email.email) >
// sum allows us to add more logic as needed
sum([
strings.icount(body.current_thread.text,
strings.concat('was sent to ', .email.email)
),
strings.icount(body.current_thread.text,
strings.concat('intended for ', .email.email)
)
]
)
)
// suspicious display text
or (
length(body.links) == 1
and all(body.links,
strings.ilike(.display_text, "*click here*", "*password*")
)
)
)
// link leads to a suspicious TLD or contains an IP address or contains multiple redirects
and any(body.links,
(
ml.link_analysis(., mode="aggressive").effective_url.domain.tld in $suspicious_tlds
or length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.root_domain
)
)
) >= 4
or (
any(body.ips,
any(body.links, strings.icontains(.href_url.url, ..ip))
)
)
)
)
)
)
// exclude Google shared calendar messages
// Subject: "<sender name> has shared a calendar with you"
and headers.return_path.domain.domain != "calendar-server.bounces.google.com"
// negate calendar invites
and not (
0 < length(attachments) < 3
and all(attachments, .content_type in ("text/calendar", "application/ics"))
)
// negate replies
and (
(
(
length(headers.references) > 0
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
and not (
(
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject, "答复:")
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.icontains(subject.subject,
'^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
)
)
)
)
or length(headers.references) == 0
)
// bounce-back and DMARC report negations
and not (
strings.like(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
and (
any(attachments,
.content_type in (
"message/rfc822",
"message/delivery-status",
"text/calendar"
)
)
or (
length(attachments) == 1
and all(attachments, .content_type in ("application/gzip"))
and regex.icontains(subject.subject,
'(?:(Report\sDomain).*(Submitter).*(Report-ID))'
)
)
)
)
and (
(
profile.by_sender().prevalence != "common"
and not profile.by_sender_email().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// FP avoidance
and not any(beta.ml_topic(body.current_thread.text).topics,
.name in (
"Advertising and Promotions",
"Political Mail",
"News and Current Events",
"Newsletters and Digests"
)
and .confidence == "high"
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Credential phishing: Engaging language and other indicators (untrusted sender)"
description: |
Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.
type: "rule"
severity: "medium"
source: |
type.inbound
and (
regex.icontains(subject.subject,
"termination.*notice",
"38417",
":completed",
"[il1]{2}mit.*ma[il1]{2} ?bo?x",
"[il][il][il]egai[ -]",
"[li][li][li]ega[li] attempt",
"[ng]-?[io]n .*block",
"[ng]-?[io]n .*cancel",
"[ng]-?[io]n .*deactiv",
"[ng]-?[io]n .*disabl",
"action.*required",
"abandon.*package",
"about.your.account",
"acc(ou)?n?t (is )?on ho[li]d",
"acc(ou)?n?t.*terminat",
"acc(oun)?t.*[il1]{2}mitation",
"access.*limitation",
"account (will be )?block",
"account.*de-?activat",
"account.*locked",
"account.*re-verification",
"account.*security",
"account.*suspension",
"account.has.expired",
"account.will.be.blocked",
"account v[il]o[li]at",
"activity.*acc(oun)?t",
"almost.full",
"app[li]e.[il]d",
"authenticate.*account",
"been.*suspend",
"crediential.*notif",
"clos.*of.*account.*processed",
"confirm.your.account",
"courier.*able",
"crediential.*notif",
"deactivation.*in.*progress",
"delivery.*attempt.*failed",
"disconnection.*notice",
"document.received",
"documented.*shared.*with.*you",
"dropbox.*document",
"e-?ma[il1]+ .{010}suspen",
"e-?ma[il1]{1} user",
"e-?ma[il1]{2} acc",
"e-?ma[il1]{2} preview",
"e-?ma[il1]{2}.*up.?grade",
"e.?ma[il1]{2}.*server",
"e.?ma[il1]{2}.*suspend",
"email.update",
"faxed you",
"fraud(ulent)?.*charge",
"from.helpdesk",
"fu[il1]{2}.*ma[il1]+[ -]?box",
"has.been.*suspended",
"has.been.limited",
"have.locked",
"he[li]p ?desk upgrade",
"heipdesk",
"i[il]iega[il]",
"ii[il]ega[il]",
"incoming e?mail",
"incoming.*fax",
"lock.*security",
"ma[il1]{1}[ -]?box.*quo",
"ma[il1]{2}[ -]?box.*fu[il1]",
"ma[il1]{2}box.*[il1]{2}mit",
"ma[il1]{2}box stor",
"mail on.?hold",
"mail.*box.*migration",
"mail.*de-?activat",
"mail.update.required",
"mails.*pending",
"messages.*pending",
"missed.*shipping.*notification",
"missed.shipment.notification",
"must.update.your.account",
"new [sl][io]g?[nig][ -]?in from",
"new voice ?-?mail",
"notifications.*pending",
"office.*3.*6.*5.*suspend",
"office365",
"on google docs with you",
"online doc",
"password.*compromised",
"(?:payroll|salary|bonus).*Distribution",
"periodic maintenance",
"potential(ly)? unauthorized",
"refund not approved",
"report",
"revised.*policy",
"scam",
"scanned.?invoice",
"secured?.update",
"security breach",
"securlty",
"signed.*delivery",
"status of your .{314}? ?delivery",
"susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
"suspicious.*sign.*[io]n",
"suspicious.activit",
"temporar(il)?y deactivate",
"temporar[il1]{2}y disab[li]ed",
"temporarily.*lock",
"un-?usua[li].activity",
"unable.*deliver",
"unauthorized.*activit",
"unauthorized.device",
"undelivered message",
"unread.*doc",
"unusual.activity",
"(?:unrecognized|Unusual|suspicious|unknown) (?:log|sign).?[io]n attempt",
"upgrade.*account",
"upgrade.notice",
"urgent message",
"urgent.verification",
"v[il1]o[li1]at[il1]on security",
"va[il1]{1}date.*ma[il1]{2}[ -]?box",
"verification ?-?require",
"verification( )?-?need",
"verify.your?.account",
"web ?-?ma[il1]{2}",
"web[ -]?ma[il1]{2}",
"will.be.suspended",
"your (customer )?account .as",
"your.office.365",
"your.online.access",
"de.activation",
// https://github.com/sublime-security/static-files/blob/main/suspicious_subjects.txt
"account has been limited",
"action required",
"almost full",
"apd notifi cation",
"are you at your desk",
"are you available",
"attached file to docusign",
"banking is temporarily unavailable",
"bankofamerica",
"closing statement invoice",
"completed: docusign",
"de-activation of",
"delivery attempt",
"delivery stopped for shipment",
"detected suspicious",
"detected suspicious actvity",
"docu sign",
"document for you",
"document has been sent to you via docusign",
"document is ready for signature",
"docusign",
"encrypted message",
"failed delivery",
"fedex tracking",
"file was shared",
"freefax",
"fwd: due invoice paid",
"has shared",
"inbox is full",
"invitation to comment",
"invitation to edit",
"invoice due",
"left you a message",
"message from",
"new message",
"new voicemail",
"on desk",
"out of space",
"password reset",
"payment status",
"pay notification",
"quick reply",
"re: w-2",
"required",
"required: completed docusign",
"remittance",
"ringcentral",
"scanned image",
"secured files",
"secured pdf",
"security alert",
"new sign-in",
"new sign in",
"sign-in attempt",
"sign in attempt",
"staff review",
"suspicious activity",
"unrecognized login attempt",
"unusual signin",
"upgrade immediately",
"urgent",
"wants to share",
"w2",
"you have notifications pending",
"your account",
"your amazon order",
"your document settlement",
"your order with amazon",
"your password has been compromised",
)
or (
regex.icontains(subject.subject, 'account.has.been')
and not regex.icontains(subject.subject, 'account.has.been.*created')
)
or (
regex.icontains(sender.display_name,
"Admin",
"Administrator",
"Alert",
"Assistant",
"Authenticat(or|ion)",
"Billing",
"Benefits",
"Bonus",
"CEO",
"CFO",
"CIO",
"CTO",
"Chairman",
"Claim",
"Confirm",
"Cpanel Mail",
"Critical",
"Customer Service",
"Deal",
"Discount",
"Director",
"Exclusive",
"Executive",
"Fax",
"Free",
"Gift",
'\bHR\b',
"Helpdesk",
"Human Resources",
"Immediate",
"Important",
"Info",
"Information",
"Invoice",
'\bIT\b',
'\bLegal\b',
"Lottery",
"Management",
"Manager",
"Member Services",
"Notification",
"Offer",
"Official Communication",
"Operations",
"Order",
"Partner",
"Payment",
"Payroll",
"Postmaster",
"President",
"Premium",
"Prize",
"Receipt",
"Refund",
"Registrar",
"Required",
"Reward",
"Sales",
"Secretary",
"Security",
"Server",
"Service",
"Storage",
"Support",
"Sweepstakes",
"System",
"Tax",
"Tech Support",
"Update",
"Upgrade",
"Urgent",
"Validate",
"Verify",
"VIP",
"Webmaster",
"Winner",
)
// add negation for common FPs in the sender display_name
and not strings.icontains(sender.display_name, "service bulletin")
and not strings.icontains(sender.display_name, "automotive service")
)
)
and (
4 of (
any(recipients.to,
.email.domain.valid
and (
strings.icontains(body.current_thread.text, .email.email)
or strings.icontains(body.current_thread.text, .email.local_part)
)
),
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
),
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
),
// recipient email address base64 encoded in link
any(body.links,
any(recipients.to,
any(beta.scan_base64(..href_url.url,
ignore_padding=true,
format="url"
),
strings.icontains(., ..email.email)
)
)
),
(
// freemail providers should never be sending this type of email
sender.email.domain.domain in $free_email_providers
// if not freemail, it's suspicious if the sender's root domain
// doesn't match any links in the body
or all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
and (
.href_url.domain.root_domain not in $org_domains
// ignore recipient email addresses in the body in relation to this check
or (
.href_url.domain.root_domain in $org_domains
and any(recipients.to,
strings.icount(body.current_thread.text, .email.email) == strings.icount(body.current_thread.text,
.email.domain.domain
)
)
)
)
)
// bulk mailers should also never be sending this type of email
or all(filter(body.links,
.href_url.domain.domain not in (
"aka.ms",
"mimecast.com",
"mimecastprotect.com",
"cisco.com"
)
),
.href_url.domain.root_domain in $bulk_mailer_url_root_domains
)
),
// in case it's embedded in an image attachment
// note: don't use message_screenshot() because it's not limited to current_thread
// and may FP
any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence == "high"
)
)
),
strings.contains(body.current_thread.text,
"Your mailbox can no longer send or receive messages."
),
any(body.links,
strings.icontains(.href_url.query_params, 'redirect')
or any(.href_url.rewrite.encoders,
strings.icontains(., "open_redirect")
)
),
// multiple entities displaying urgency
length(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency"
)
) >= 2
// and any body links
and any(body.links,
// display text contains a request
any(ml.nlu_classifier(.display_text).entities, .name == "request")
),
any(body.links,
// display text contains a request
(
any(ml.nlu_classifier(.display_text).entities, .name == "request")
or regex.match(.display_text, '^[^a-z]+$')
)
and (
.href_url.domain.domain in $url_shorteners
or .href_url.domain.domain in $social_landing_hosts
or .href_url.domain.root_domain in $url_shorteners
or .href_url.domain.root_domain in $social_landing_hosts
or .href_url.domain.domain in $free_file_hosts
or (
.href_url.domain.root_domain in (
"mimecast.com",
"mimecastprotect.com"
)
and any(.href_url.query_params_decoded['domain'],
strings.parse_url(strings.concat("https://", .)).domain.domain in $url_shorteners
or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $url_shorteners
or strings.parse_url(strings.concat("https://", .)).domain.domain in $free_file_hosts
or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $free_subdomain_hosts
or strings.parse_url(strings.concat("https://", .)).domain.domain in $social_landing_hosts
or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $social_landing_hosts
)
)
)
),
// common greetings via email.local_part
any(recipients.to,
length(.email.local_part) > 2
and
// use count to ensure the email address is not part of a disclaimer
strings.icount(body.current_thread.text, .email.local_part) >
// sum allows us to add more logic as needed
strings.icount(body.current_thread.text,
strings.concat('was sent to ', .email.email)
) + strings.icount(body.current_thread.text,
strings.concat('intended for ', .email.email)
)
)
)
or (
(
// recipient's email address is in the body
any(recipients.to,
// use count to ensure the email address is not part of a disclaimer
strings.icount(body.current_thread.text, .email.email) >
// sum allows us to add more logic as needed
sum([
strings.icount(body.current_thread.text,
strings.concat('was sent to ', .email.email)
),
strings.icount(body.current_thread.text,
strings.concat('intended for ', .email.email)
)
]
)
)
// suspicious display text
or (
length(body.links) == 1
and all(body.links,
strings.ilike(.display_text, "*click here*", "*password*")
)
)
)
// link leads to a suspicious TLD or contains an IP address or contains multiple redirects
and any(body.links,
(
ml.link_analysis(., mode="aggressive").effective_url.domain.tld in $suspicious_tlds
or length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
.domain.root_domain
)
)
) >= 4
or (
any(body.ips,
any(body.links, strings.icontains(.href_url.url, ..ip))
)
)
)
)
)
)
// exclude Google shared calendar messages
// Subject: "<sender name> has shared a calendar with you"
and headers.return_path.domain.domain != "calendar-server.bounces.google.com"
// negate calendar invites
and not (
0 < length(attachments) < 3
and all(attachments, .content_type in ("text/calendar", "application/ics"))
)
// negate replies
and (
(
(
length(headers.references) > 0
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
and not (
(
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject, "答复:")
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.icontains(subject.subject,
'^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
)
)
)
)
or length(headers.references) == 0
)
// bounce-back and DMARC report negations
and not (
strings.like(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
and (
any(attachments,
.content_type in (
"message/rfc822",
"message/delivery-status",
"text/calendar"
)
)
or (
length(attachments) == 1
and all(attachments, .content_type in ("application/gzip"))
and regex.icontains(subject.subject,
'(?:(Report\sDomain).*(Submitter).*(Report-ID))'
)
)
)
)
and (
(
profile.by_sender().prevalence != "common"
and not profile.by_sender_email().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// FP avoidance
and not any(beta.ml_topic(body.current_thread.text).topics,
.name in (
"Advertising and Promotions",
"Political Mail",
"News and Current Events",
"Newsletters and Digests"
)
and .confidence == "high"
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free email provider"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Sender analysis"
- "URL analysis"
id: "c2bc8ca2-d207-5c7d-96e4-a0d3d33b2af5"