EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Credential Phishing: Suspicious language, link, recipients and other indicators

The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from an untrusted sender.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
defense-evasion

Detection Query

type.inbound

// no recipients defined
and (
  length(recipients.to) == 0
  or all(recipients.to, .display_name == "Undisclosed recipients")
)
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
and any(body.links,

        // suspicious link
        // we've particularly seen 1drv.ms abused
        // if using the full list causes FPs, we can reduce the 
        // scope to a hard-coded list or add exclusions
        (
          .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_subdomain_hosts
        )

        // link text is in all caps
        and regex.match(.display_text, "[A-Z ]+")
)

// any confidence cred_theft classification
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft"
)

// 'org' entity is in all caps
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "org" and regex.match(.text, "[A-Z ]+")
)

// subject is in all caps
and regex.match(subject.subject, "[A-Z ]+")
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Credential Phishing: Suspicious language, link, recipients and other indicators"
description: |
  The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from an untrusted sender.
type: "rule"
severity: "medium"
source: |
  type.inbound

  // no recipients defined
  and (
    length(recipients.to) == 0
    or all(recipients.to, .display_name == "Undisclosed recipients")
  )
  and length(recipients.cc) == 0
  and length(recipients.bcc) == 0
  and any(body.links,

          // suspicious link
          // we've particularly seen 1drv.ms abused
          // if using the full list causes FPs, we can reduce the 
          // scope to a hard-coded list or add exclusions
          (
            .href_url.domain.domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_subdomain_hosts
          )

          // link text is in all caps
          and regex.match(.display_text, "[A-Z ]+")
  )

  // any confidence cred_theft classification
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "cred_theft"
  )

  // 'org' entity is in all caps
  and any(ml.nlu_classifier(body.current_thread.text).entities,
          .name == "org" and regex.match(.text, "[A-Z ]+")
  )

  // subject is in all caps
  and regex.match(subject.subject, "[A-Z ]+")
  and (
    profile.by_sender().prevalence in ("new", "outlier")
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
  - "URL analysis"
id: "dcb39190-7ea1-5e82-8d6b-0242affdb6e3"