[Test Rules] [PR #4372] added rule: Cloud storage impersonation with credential theft indicators

github-actions[bot] · github-actions[bot] · commit 45f91c29a9f7 · 2026-04-20T21:46:26.000Z
diff --git a/detection-rules/4372_credential_theft_cloud_storage_impersonation.yml b/detection-rules/4372_credential_theft_cloud_storage_impersonation.yml
@@ -0,0 +1,70 @@
+name: "Cloud storage impersonation with credential theft indicators"
+description: "Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and 0 < length(body.current_thread.links) < 10
+  and any([subject.subject, sender.display_name],
+          regex.icontains(., "(?:cloud|storage|mailbox|account|system|service)")
+  )
+  and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
+          .name == "cred_theft" and .confidence == "high"
+  )
+  and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
+              .name == "Customer Service and Support" and .confidence == "high"
+  )
+  and regex.icontains(beta.ocr(file.message_screenshot()).text,
+                      "storage.{0,50}full",
+                      "free.{0,50}upgrade",
+                      "storage.{0,50}details",
+                      "storage.{0,50}quot",
+                      "(?:mailbox|account|cloud).{0,50}(?:at risk|storage|disabled)"
+  )
+  and not strings.ilike(beta.ocr(file.message_screenshot()).text, "*free plan*")
+  and (
+    any(body.current_thread.links,
+        // fingerprints of a hyperlinked image
+        .display_text is null
+        and .display_url.url is null
+        and .href_url.domain.domain not in $tenant_domains
+        and (
+          .href_url.domain.root_domain in $free_file_hosts
+          or .href_url.domain.root_domain in $url_shorteners
+          or network.whois(.href_url.domain).days_old < 365
+          or .href_url.domain.root_domain == "beehiiv.com"
+          or regex.icontains(.href_url.path, '^\/[a-z0-9]{20,}$')
+          or (
+            strings.icontains(.href_url.path, '.html')
+            and coalesce(.href_url.domain.root_domain, "null") != sender.email.domain.root_domain
+          )
+        )
+    )
+  )
+  // and the sender is not from high trust sender root domains
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Free file host"
+  - "Image as content"
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Content analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+  - "URL analysis"
+id: "748454c2-cfd2-5704-8b38-6c7d71849368"
+og_id: "4c20f72c-0045-518c-8157-7dad5f196ecc"
+testing_pr: 4372
+testing_sha: 57e5f533cbab4072a4d77c0d9190a08243c5c0cc
