Apple state-sponsored attack warning

name: "Apple state-sponsored attack warning"
description: "Detects legitimate Apple threat notifications warning users about potential state-sponsored mercenary attacks targeting their iPhone. These notifications contain specific language about targeted attacks and Apple's confidence level in the warning."
type: "rule"
severity: "medium"
references:
  - "https://support.apple.com/en-us/102174"
source: | 
  type.inbound
  and sender.email.email == "threat-notifications@email.apple.com"
  and headers.auth_summary.spf.pass
  and headers.auth_summary.dmarc.pass
  and subject.subject == "ALERT: State-sponsored attackers may be targeting your iPhone"
  and strings.icontains(body.current_thread.text,
                        'This attack is likely targeting you specifically because of who you are or what you do'
  )
  and strings.icontains(body.current_thread.text,
                        'never possible to achieve absolute certainty when detecting such attacks'
  )
  and strings.icontains(body.current_thread.text,
                        'Apple has high confidence in this warning'
  )
  and strings.icontains(body.current_thread.text, 'Mercenary attacks')