Skip to content

Commit 8c537f4

Browse files
[Shared Samples] [PR #4691] added rule: PR# 4691 - Cloud storage impersonation with credential theft indicators
1 parent 9cecc4c commit 8c537f4

1 file changed

Lines changed: 89 additions & 0 deletions

File tree

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
name: "PR# 4691 - Cloud storage impersonation with credential theft indicators"
2+
description: "Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics."
3+
type: "rule"
4+
severity: "medium"
5+
source: |
6+
type.inbound
7+
and (
8+
0 < length(body.current_thread.links) < 10
9+
or length(body.current_thread.links) > 50
10+
)
11+
and any([subject.subject, sender.display_name],
12+
regex.icontains(.,
13+
"(?:cloud|storage|mailbox|account|system|service|^data)"
14+
)
15+
)
16+
and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
17+
.name == "cred_theft" and .confidence == "high"
18+
)
19+
and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
20+
.name == "Customer Service and Support" and .confidence == "high"
21+
)
22+
and regex.icontains(beta.ocr(file.message_screenshot()).text,
23+
"storage.{0,50}full",
24+
"free.{0,50}upgrade",
25+
"storage.{0,50}details",
26+
"storage.{0,50}quot",
27+
"(?:mailbox|account|cloud).{0,50}(?:at risk|storage|disabled)",
28+
'\d{2}%\s*capacity',
29+
"data.{0,20}(?:removal|purge|protection mode)",
30+
"billing.{0,20}suspended"
31+
)
32+
and not strings.ilike(beta.ocr(file.message_screenshot()).text, "*free plan*")
33+
and (
34+
any(body.current_thread.links,
35+
// fingerprints of a hyperlinked image
36+
.display_text is null
37+
and .display_url.url is null
38+
and .href_url.domain.domain not in $tenant_domains
39+
and (
40+
.href_url.domain.root_domain in $free_file_hosts
41+
or .href_url.domain.root_domain in $url_shorteners
42+
or network.whois(.href_url.domain).days_old < 365
43+
or .href_url.domain.root_domain == "beehiiv.com"
44+
or regex.icontains(.href_url.path, '^\/[a-z0-9]{20,}$')
45+
or (
46+
strings.icontains(.href_url.path, '.html')
47+
and coalesce(.href_url.domain.root_domain, "null") != coalesce(sender.email.domain.root_domain,
48+
""
49+
)
50+
)
51+
or (
52+
any(body.links,
53+
regex.icontains(.href_url.url, '(?:;[^/]*){3,}')
54+
or regex.icontains(.href_url.path, '@')
55+
)
56+
)
57+
)
58+
)
59+
)
60+
// and the sender is not from high trust sender root domains
61+
and (
62+
(
63+
sender.email.domain.root_domain in $high_trust_sender_root_domains
64+
and not headers.auth_summary.dmarc.pass
65+
)
66+
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
67+
)
68+
attack_types:
69+
- "Credential Phishing"
70+
tactics_and_techniques:
71+
- "Free file host"
72+
- "Image as content"
73+
- "Impersonation: Brand"
74+
- "Social engineering"
75+
detection_methods:
76+
- "Computer Vision"
77+
- "Content analysis"
78+
- "Header analysis"
79+
- "Natural Language Understanding"
80+
- "Optical Character Recognition"
81+
- "Sender analysis"
82+
- "URL analysis"
83+
id: "1228585e-ce7d-5186-acc8-369a0f9e3c15"
84+
tags:
85+
- created_from_open_prs
86+
- rule_status_modified
87+
- pr_author_JFarina5
88+
references:
89+
- https://github.com/sublime-security/sublime-rules/pull/4691

0 commit comments

Comments
 (0)