[Shared Samples] [PR #4391] added rule: PR# 4391 - Credential phishing: Generic document share template

github-actions[bot] · github-actions[bot] · commit 75bd192c67cd · 2026-04-23T15:08:39.000Z
diff --git a/detection-rules/4391_credential_phishing_generic_template.yml b/detection-rules/4391_credential_phishing_generic_template.yml
@@ -0,0 +1,125 @@
+name: "PR# 4391 - Credential phishing: Generic document share template"
+description: "Detects messages that incorporate recipient-specific information (email domain, local part, or domain elements) alongside document-themed Unicode symbols and keywords. The rule identifies various targeting patterns including greeting-based personalization, attention-grabbing prefixes and multiple recipient elements. It also catches broken template attacks where recipient placeholders remain visible."
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  and (
+    // nlu capture for wide scope of greetings to reduce evasion
+    any(filter(ml.nlu_classifier(body.current_thread.text).entities,
+               .name == "greeting"
+        ),
+        any([
+              recipients.to[0].email.domain.sld,
+              recipients.to[0].email.local_part,
+              recipients.to[0].email.domain.domain
+            ],
+            // recipient entity follows the greeting in the body text
+            strings.icontains(body.current_thread.text,
+                              strings.concat(..text, " ", .)
+            )
+        )
+    )
+    or (
+      // nlu capture for wide scope of greetings to reduce evasion
+      any(filter(ml.nlu_classifier(body.current_thread.text).entities,
+                 .name == "greeting"
+          ),
+          any(filter(ml.nlu_classifier(body.current_thread.text).entities,
+                     .name == "recipient"
+              ),
+              // recipient entity follows the greeting in the body text
+              strings.icontains(body.current_thread.text,
+                                strings.concat(..text, " ", .text)
+              )
+              // the named recipient doesn't match the actual "to" recipient
+              and not any([
+                            recipients.to[0].email.domain.sld,
+                            recipients.to[0].email.local_part,
+                            recipients.to[0].email.domain.domain
+                          ],
+                          strings.icontains(..text, .)
+              )
+          )
+      )
+    )
+    or any([
+             recipients.to[0].email.domain.sld,
+             recipients.to[0].email.local_part,
+             recipients.to[0].email.domain.domain
+           ],
+           // strings logic for non-greeting body starter
+           strings.icontains(body.current_thread.text,
+                             strings.concat("attn: ", .)
+           )
+           // strings logic for recipient as starter
+           or strings.icontains(body.current_thread.text,
+                                strings.concat(., " balance statement")
+           )
+    )
+    // count of all recipient elements is higher 2 or greater
+    or length(filter([
+                       recipients.to[0].email.domain.sld,
+                       recipients.to[0].email.local_part,
+                       recipients.to[0].email.domain.domain
+                     ],
+                     strings.icontains(body.current_thread.text, .)
+              )
+    ) >= 2
+  
+    // logic for broken attack
+    or any(ml.nlu_classifier(body.current_thread.text).entities,
+           .name == "recipient" and regex.icontains(.text, '[{}]')
+    )
+  )
+  
+  // unicode + keyword generic template
+  and (
+    regex.icontains(body.current_thread.text,
+                    '(?:\x{2710}|\x{270D}|\x{270E}|\x{270F}|\x{1F4C1}|\x{1F4C4}|\x{1F4D1}|\x{1F4DD}|\x{1F4EC}|\x{1F589})\n?.{0,15}(?:document|completion|remit|review|statement|agree|shar(?:ed|ing)|receiv|\bmail\b)',
+                    '(?:document|completion|remit|review|statement|agree|shar(?:ed|ing)|receiv|\bmail\b)\n?.{0,15}(?:\x{2710}|\x{270D}|\x{270E}|\x{270F}|\x{1F4C1}|\x{1F4C4}|\x{1F4D1}|\x{1F4DD}|\x{1F4EC}|\x{1F589})'
+    )
+    // negate sharepoint paths with unicode
+    and not any(body.links,
+                regex.icontains(.display_url.path,
+                                '(?:\x{2710}|\x{270D}|\x{270E}|\x{270F}|\x{1F4C1}|\x{1F4C4}|\x{1F4D1}|\x{1F4DD}|\x{1F4EC}|\x{1F589})'
+                )
+    )
+  )
+  
+  // nlu negation for FP's
+  and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  
+  // negate legitimate conversations
+  and not (
+    (length(headers.references) > 0 or headers.in_reply_to is not null)
+    and (subject.is_forward or subject.is_reply)
+    and length(body.previous_threads) >= 1
+  )
+
+tags:
+  - "Attack surface reduction"
+  - pr_author_missingn0pe
+  - created_from_open_prs
+  - rule_status_modified
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "Natural Language Understanding"
+id: "44d63e59-9ec9-57d6-9a6f-79e1f53d589a"
+references:
+  - https://github.com/sublime-security/sublime-rules/pull/4391
