EXPLORE
Sign In
← Back to Explore
sublimehighRule

Credential phishing content and link (untrusted sender)

Message contains credential theft language and a link to a credential phishing page from an unknown sender. We use Link Analysis in aggressive mode to increase our chances of scanning.

MITRE ATT&CK

T1566T1566.001T1566.002T1598
initial-access

Detection Query

type.inbound
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "cred_theft" and .confidence in ("medium", "high")
  )
  // embedded in an image attachment
  // note: don't use message_screenshot() for now
  // because it's not limited to current_thread and may FP
  or any(attachments,
         .file_type in $file_types_images
         and any(file.explode(.),
                 any(ml.nlu_classifier(.scan.ocr.raw).intents,
                     .name == "cred_theft" and .confidence in ("medium", "high")
                 )
         )
  )
)
and any(body.links,
        .href_url.domain.root_domain not in ("outlook.com")
        and .href_url.domain.domain != "play.google.com"
        and ml.link_analysis(., mode="aggressive").effective_url.domain.domain != "play.google.com"
        and ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
        and (
          ml.link_analysis(., mode="aggressive").credphish.confidence in (
            "medium",
            "high"
          )
          or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
        )
        and not .href_url.domain.root_domain == "c3reservations.com"
)
and (
  (
    profile.by_sender_email().prevalence in ("new", "outlier")
    and not profile.by_sender_email().solicited
  )
  or (
    profile.by_sender_email().any_messages_malicious_or_spam
    and not profile.by_sender_email().any_messages_benign
  )
  // or there are no recipients
  or length(recipients.to) == 0
  // or the recipients are all invalid 
  or all(recipients.to, .email.domain.valid == false)

  // or the sender exhibits a "self sender" pattern
  or (
    length(recipients.to) == 1
    and recipients.to[0].email.email == sender.email.email
  )
)

// negate docusign 'via' messages
and not (
  any(headers.hops,
      any(.fields,
          .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
      )
  )
  and strings.contains(sender.display_name, "via")
)

// negate docusign originated emails
and not any(headers.hops,
            regex.imatch(.received.server.raw, ".+.docusign.(net|com)")
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Credential phishing content and link (untrusted sender)"
description: |
  Message contains credential theft language and a link to a credential phishing page from an unknown sender.
  We use Link Analysis in aggressive mode to increase our chances of scanning.
type: "rule"
severity: "high"
source: |
  type.inbound
  and (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence in ("medium", "high")
    )
    // embedded in an image attachment
    // note: don't use message_screenshot() for now
    // because it's not limited to current_thread and may FP
    or any(attachments,
           .file_type in $file_types_images
           and any(file.explode(.),
                   any(ml.nlu_classifier(.scan.ocr.raw).intents,
                       .name == "cred_theft" and .confidence in ("medium", "high")
                   )
           )
    )
  )
  and any(body.links,
          .href_url.domain.root_domain not in ("outlook.com")
          and .href_url.domain.domain != "play.google.com"
          and ml.link_analysis(., mode="aggressive").effective_url.domain.domain != "play.google.com"
          and ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
          and (
            ml.link_analysis(., mode="aggressive").credphish.confidence in (
              "medium",
              "high"
            )
            or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
          )
          and not .href_url.domain.root_domain == "c3reservations.com"
  )
  and (
    (
      profile.by_sender_email().prevalence in ("new", "outlier")
      and not profile.by_sender_email().solicited
    )
    or (
      profile.by_sender_email().any_messages_malicious_or_spam
      and not profile.by_sender_email().any_messages_benign
    )
    // or there are no recipients
    or length(recipients.to) == 0
    // or the recipients are all invalid 
    or all(recipients.to, .email.domain.valid == false)
  
    // or the sender exhibits a "self sender" pattern
    or (
      length(recipients.to) == 1
      and recipients.to[0].email.email == sender.email.email
    )
  )
  
  // negate docusign 'via' messages
  and not (
    any(headers.hops,
        any(.fields,
            .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
        )
    )
    and strings.contains(sender.display_name, "via")
  )
  
  // negate docusign originated emails
  and not any(headers.hops,
              regex.imatch(.received.server.raw, ".+.docusign.(net|com)")
  )
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
detection_methods:
  - "Computer Vision"
  - "Sender analysis"
  - "URL analysis"
  - "URL screenshot"
id: "f0c95bb7-afeb-5c8d-a654-74b5e026007f"