sublimelowRule

Spam: Personalized subject and greetings via Salesforce Marketing Cloud

Detects messages sent through Salesforce Marketing Cloud infrastructure that contain a fake previous email thread, where both the current and previous threads start with the same greeting pattern extracted from the subject line.

MITRE ATT&CK

T1566 T1598

initial-access

Detection Query

type.inbound
// attempt to find SF sending infra 
and (
  headers.domains[0].root_domain == "exacttarget.com"
  or strings.iends_with(headers.message_id, '.xt.local>')
  or any(headers.hops,
         any(.fields,
             .name =~ "X-SFMC-Stack"
             or (.name =~ "x-job" and regex.match(.value, '^\d+_\d+$'))
         )
  )
)
// the message contains a fake previous thread
and length(body.previous_threads) == 1

// extract the name from the subject
and any(regex.iextract(subject.base, '(?:^|: )(?P<first_name>[A-Z][a-z]+)$'),
        // the current thread starts with "Hi <extracted from subject>
        strings.istarts_with(body.current_thread.text,
                             strings.concat('Hi ', .named_groups["first_name"])
        )
        // the previous thread starts with "Hi <extracted from subject>
        and any(body.previous_threads,
                strings.istarts_with(.text,
                                     strings.concat('Hi ',
                                                    ..named_groups["first_name"]
                                     )
                )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Spam: Personalized subject and greetings via Salesforce Marketing Cloud"
description: "Detects messages sent through Salesforce Marketing Cloud infrastructure that contain a fake previous email thread, where both the current and previous threads start with the same greeting pattern extracted from the subject line."
type: "rule"
severity: "low"
source: |
  type.inbound
  // attempt to find SF sending infra 
  and (
    headers.domains[0].root_domain == "exacttarget.com"
    or strings.iends_with(headers.message_id, '.xt.local>')
    or any(headers.hops,
           any(.fields,
               .name =~ "X-SFMC-Stack"
               or (.name =~ "x-job" and regex.match(.value, '^\d+_\d+$'))
           )
    )
  )
  // the message contains a fake previous thread
  and length(body.previous_threads) == 1
  
  // extract the name from the subject
  and any(regex.iextract(subject.base, '(?:^|: )(?P<first_name>[A-Z][a-z]+)$'),
          // the current thread starts with "Hi <extracted from subject>
          strings.istarts_with(body.current_thread.text,
                               strings.concat('Hi ', .named_groups["first_name"])
          )
          // the previous thread starts with "Hi <extracted from subject>
          and any(body.previous_threads,
                  strings.istarts_with(.text,
                                       strings.concat('Hi ',
                                                      ..named_groups["first_name"]
                                       )
                  )
          )
  )
  

attack_types:
  - "Spam"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
id: "c77f127f-e495-5659-96ec-29aec02070d7"