← Back to Explore
sublimeExclusion
Huntress phishing simulation
Identifies phishing simulations sent by Huntress and excludes the message from live analysis.
Detection Query
type.inbound
and (
// SMTP Delivery
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
any(headers.ips, beta.ip_in(.ip, "18.205.140.116"))
// MS/GMAIL DMI
or length(headers.hops) == 1
)
and any(headers.hops, any(.fields, .name =~ "X-PHISHTEST-Curricula"))
and any(headers.hops, any(.fields, .name in~ ('X-C-Message-Id', 'C-Message-Id')))
and sender.email.domain.root_domain in (
"securitynotifications.org",
"security-updater.com",
"amazonsecurity.org",
"breach-notice.com",
"filesharingnow.com",
"mailbox-quota.com",
"passwordsnotification.com",
"securelinkedin.com",
"fraud-assistance.com",
"payment-process.com",
"news-article.com",
"invite-meeting.com",
"feedback-collect.com",
"businessnotice.org",
"databoxonline.com",
"electronic-hr.com",
"emailtransaction.com",
"employee-services.org",
"governmentnotice.org",
"notificationservices.org",
)
and any(body.links,
.href_url.domain.root_domain in (
"securitynotifications.org",
"security-updater.com",
"amazonsecurity.org",
"breach-notice.com",
"filesharingnow.com",
"mailbox-quota.com",
"passwordsnotification.com",
"securelinkedin.com",
"fraud-assistance.com",
"payment-process.com",
"news-article.com",
"invite-meeting.com",
"feedback-collect.com",
"businessnotice.org",
"databoxonline.com",
"electronic-hr.com",
"emailtransaction.com",
"employee-services.org",
"governmentnotice.org",
"notificationservices.org",
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Huntress phishing simulation"
description: "Identifies phishing simulations sent by Huntress and excludes the message from live analysis."
type: "exclusion"
source: |
type.inbound
and (
// SMTP Delivery
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
any(headers.ips, beta.ip_in(.ip, "18.205.140.116"))
// MS/GMAIL DMI
or length(headers.hops) == 1
)
and any(headers.hops, any(.fields, .name =~ "X-PHISHTEST-Curricula"))
and any(headers.hops, any(.fields, .name in~ ('X-C-Message-Id', 'C-Message-Id')))
and sender.email.domain.root_domain in (
"securitynotifications.org",
"security-updater.com",
"amazonsecurity.org",
"breach-notice.com",
"filesharingnow.com",
"mailbox-quota.com",
"passwordsnotification.com",
"securelinkedin.com",
"fraud-assistance.com",
"payment-process.com",
"news-article.com",
"invite-meeting.com",
"feedback-collect.com",
"businessnotice.org",
"databoxonline.com",
"electronic-hr.com",
"emailtransaction.com",
"employee-services.org",
"governmentnotice.org",
"notificationservices.org",
)
and any(body.links,
.href_url.domain.root_domain in (
"securitynotifications.org",
"security-updater.com",
"amazonsecurity.org",
"breach-notice.com",
"filesharingnow.com",
"mailbox-quota.com",
"passwordsnotification.com",
"securelinkedin.com",
"fraud-assistance.com",
"payment-process.com",
"news-article.com",
"invite-meeting.com",
"feedback-collect.com",
"businessnotice.org",
"databoxonline.com",
"electronic-hr.com",
"emailtransaction.com",
"employee-services.org",
"governmentnotice.org",
"notificationservices.org",
)
)