EXPLORE
Sign In
← Back to Explore
sublimehighRule

Impersonation: DMARC failure with high confidence credential theft intent

Detects DMARC failures and messages with a high confidence of credential theft

Detection Query

type.inbound
and any(distinct(headers.hops, .authentication_results.dmarc is not null),
        strings.ilike(.authentication_results.dmarc, "*fail")
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name in ("cred_theft") and .confidence == "high"
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Brand impersonationCredential phishing
Raw Content
name: "Impersonation: DMARC failure with high confidence credential theft intent"
description: "Detects DMARC failures and messages with a high confidence of credential theft"
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
  )
  and any(ml.nlu_classifier(body.current_thread.text).intents,
          .name in ("cred_theft") and .confidence == "high"
  )
tags:
  - "Brand impersonation"
  - "Credential phishing"