[Shared Samples] [PR #4631] added rule: PR# 4631 - Brand impersonation: Cloud services with credential theft intent

github-actions[bot] · github-actions[bot] · commit 2052ebf68b26 · 2026-06-05T21:50:08.000Z
diff --git a/detection-rules/4631_link_credential_cloud_service.yml b/detection-rules/4631_link_credential_cloud_service.yml
@@ -0,0 +1,88 @@
+name: "PR# 4631 - Brand impersonation: Cloud services with credential theft intent"
+description: "Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji or Cloud+ text, contains links to external domains not matching the sender's domain, and lacks recipient identification entities."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    any([body.current_thread.text, body.html.inner_text],
+        strings.starts_with(., 'Cloud') or strings.icontains(., "Cloud+ ")
+    )
+    // cloud emoji
+    or regex.contains(body.current_thread.text, '^\x{2601}')
+    or regex.icontains(body.current_thread.text, '^!\s*Cloud storage')
+    // address in the body
+    or strings.icontains(body.current_thread.text,
+                         '4563 Cloud Way, Server City, CA'
+    )
+  )
+  and any(ml.nlu_classifier(body.current_thread.text).intents,
+          .name == 'cred_theft' and .confidence == 'high'
+  )
+  and any(ml.nlu_classifier(body.current_thread.text).topics,
+          .name in (
+            'File Sharing and Cloud Services',
+            'Payment Information',
+            'Financial Communications'
+          )
+          and .confidence != 'low'
+  )
+  // sender domain matches no body domains
+  and length(filter(body.links,
+                    .href_url.scheme != 'mailto'
+                    and .href_url.domain.root_domain is not null
+                    and .href_url.domain.root_domain != 'oracle.com'
+             )
+  ) > 0
+  and all(filter(body.links,
+                 .href_url.scheme != 'mailto'
+                 and .href_url.domain.root_domain is not null
+          ),
+          .href_url.domain.root_domain != coalesce(sender.email.domain.root_domain,
+                                                   ""
+          )
+  )
+  // negate legit cloud companies
+  and not (
+    coalesce(sender.email.domain.root_domain, "") in (
+      "cloud-cme.com",
+      "cloudcounting.online",
+      "cloudhealthtech.com",
+      "cloudpano.com"
+    )
+    // check for SPF or DMARC passed
+    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
+  )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and not (
+    sender.email.domain.root_domain in $high_trust_sender_root_domains
+    and coalesce(headers.auth_summary.dmarc.pass, false)
+  )
+  // negate Spark Cloud Attachments
+  and not any(headers.hops,
+              .index == 0
+              and any(.fields,
+                      .name == "X-Readdle-Spark-Cloud-Attachment"
+                      and .value is not null
+              )
+  )
+  and not (
+    sender.email.email == "noreply@icloud.com.cn"
+    and coalesce(headers.auth_summary.dmarc.pass, false)
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+  - "URL analysis"
+id: "07314893-def5-54d1-9885-d4fa37c25843"
+tags:
+  - created_from_open_prs
+  - rule_status_renamed
+  - pr_author_cybher0808
+references:
+  - https://github.com/sublime-security/sublime-rules/pull/4631
