1+ name : " PR# 4691 - Cloud storage impersonation with credential theft indicators"
2+ description : " Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics."
3+ type : " rule"
4+ severity : " medium"
5+ source : |
6+ type.inbound
7+ and (
8+ 0 < length(body.current_thread.links) < 10
9+ or length(body.current_thread.links) > 50
10+ )
11+ and any([subject.subject, sender.display_name],
12+ regex.icontains(.,
13+ "(?:cloud|storage|mailbox|account|system|service|^data)"
14+ )
15+ )
16+ and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
17+ .name == "cred_theft" and .confidence == "high"
18+ )
19+ and not any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
20+ .name == "Customer Service and Support" and .confidence == "high"
21+ )
22+ and regex.icontains(beta.ocr(file.message_screenshot()).text,
23+ "storage.{0,50}full",
24+ "free.{0,50}upgrade",
25+ "storage.{0,50}details",
26+ "storage.{0,50}quot",
27+ "(?:mailbox|account|cloud).{0,50}(?:at risk|storage|disabled)",
28+ '\d{2}%\s*capacity',
29+ "data.{0,20}(?:removal|purge|protection mode)",
30+ "billing.{0,20}suspended"
31+ )
32+ and not strings.ilike(beta.ocr(file.message_screenshot()).text, "*free plan*")
33+ and (
34+ any(body.current_thread.links,
35+ // fingerprints of a hyperlinked image
36+ .display_text is null
37+ and .display_url.url is null
38+ and .href_url.domain.domain not in $tenant_domains
39+ and (
40+ .href_url.domain.root_domain in $free_file_hosts
41+ or .href_url.domain.root_domain in $url_shorteners
42+ or network.whois(.href_url.domain).days_old < 365
43+ or .href_url.domain.root_domain == "beehiiv.com"
44+ or regex.icontains(.href_url.path, '^\/[a-z0-9]{20,}$')
45+ or (
46+ strings.icontains(.href_url.path, '.html')
47+ and coalesce(.href_url.domain.root_domain, "null") != coalesce(sender.email.domain.root_domain,
48+ ""
49+ )
50+ )
51+ or (
52+ any(body.links,
53+ regex.icontains(.href_url.url, '(?:;[^/]*){3,}')
54+ or regex.icontains(.href_url.path, '@')
55+ )
56+ )
57+ )
58+ )
59+ )
60+ // and the sender is not from high trust sender root domains
61+ and (
62+ (
63+ sender.email.domain.root_domain in $high_trust_sender_root_domains
64+ and not headers.auth_summary.dmarc.pass
65+ )
66+ or sender.email.domain.root_domain not in $high_trust_sender_root_domains
67+ )
68+ attack_types :
69+ - " Credential Phishing"
70+ tactics_and_techniques :
71+ - " Free file host"
72+ - " Image as content"
73+ - " Impersonation: Brand"
74+ - " Social engineering"
75+ detection_methods :
76+ - " Computer Vision"
77+ - " Content analysis"
78+ - " Header analysis"
79+ - " Natural Language Understanding"
80+ - " Optical Character Recognition"
81+ - " Sender analysis"
82+ - " URL analysis"
83+ id : " 1228585e-ce7d-5186-acc8-369a0f9e3c15"
84+ tags :
85+ - created_from_open_prs
86+ - rule_status_modified
87+ - pr_author_JFarina5
88+ references :
89+ - https://github.com/sublime-security/sublime-rules/pull/4691
0 commit comments