Suspicious subject with long procedurally generated text blob

name: "Suspicious subject with long procedurally generated text blob"
description: "This rule identifies subjects containing long strings of nonsensical or procedurally generated characters, which are often used in phishing or spam campaigns for campaign tracking and identification, as well as to bypass detection filters."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // "#" symbol, and then letters, numbers or more symbols (-#)
  and regex.imatch(subject.subject, ".*#[a-z0-9-#]+$")
  // not JUST letters
  and not regex.imatch(subject.subject, ".*#[a-z-]+$")
  // not JUST numbers
  and not regex.imatch(subject.subject, ".*#[0-9-]+$")
  and not any(beta.ml_topic(body.current_thread.text).topics,
              .name in (
                "Professional and Career Development",
                "Reminders and Notifications"
              )
              and .confidence == "high"
  )
  
  // and 1 other suspicious element
  and 2 of (
    any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld)),
    (
      regex.imatch(sender.display_name, ".*#[a-z0-9-#]+$")
      and not regex.imatch(subject.subject, ".*#[a-z-]+$")
      and not regex.imatch(subject.subject, ".*#[0-9-]+$")
    ),
    any(ml.nlu_classifier(subject.subject).intents,
        .name == "cred_theft" and .confidence == "high"
    ),
    body.current_thread.text is null
  )
  
  // standard negations
  and not profile.by_sender_email().any_messages_benign
  and not profile.by_sender_email().solicited
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
tags:
 - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
  - "Spam"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
id: "e819593d-b60d-5b57-8bf5-837be4111c3f"