1+ name : " PR# 4519 - Credential phishing: Suspicious subject with urgent financial request and link"
2+ description : " This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender."
3+ type : " rule"
4+ severity : " medium"
5+ source : |
6+ type.inbound
7+ and (
8+ 0 < length(filter(body.links,
9+ not strings.ilike(.display_text,
10+ "*privacy*",
11+ "*terms of service*",
12+ "Learn why this is important"
13+ )
14+ or .display_text is null
15+ )
16+ ) < 5
17+ )
18+
19+ // negate webinar registrations
20+ and not any(body.links,
21+ .display_text =~ "REGISTER NOW"
22+ and .href_url.domain.root_domain == "secureclick.net"
23+ )
24+
25+ // not all links are unsubscribe links
26+ and not all(body.links,
27+ (
28+ strings.icontains(.display_text, "unsubscribe")
29+ and strings.icontains(.href_url.path, "unsubscribe")
30+ )
31+ or (
32+ strings.icontains(.display_text, "deactivate")
33+ and strings.icontains(.href_url.path, "DeactivateAccount")
34+ )
35+ )
36+
37+ // ignore emails in body
38+ and not all(body.links, .href_url.domain.domain in $free_email_providers)
39+ and length(body.current_thread.text) < 2000
40+ and length(subject.subject) < 100
41+
42+ // and suspicious subject
43+ and regex.icontains(subject.subject,
44+ // https://github.com/sublime-security/static-files/blob/main/suspicious_subjects_regex.txt
45+ "termination.*notice",
46+ "38417",
47+ ":completed",
48+ "[il1]{2}mit.*ma[il1]{2} ?bo?x",
49+ "[il][il][il]egai[ -]",
50+ "[li][li][li]ega[li] attempt",
51+ "[ng]-?[io]n .*block",
52+ "[ng]-?[io]n .*cancel",
53+ "[ng]-?[io]n .*deactiv",
54+ "[ng]-?[io]n .*disabl",
55+ "action.*required",
56+ "abandon.*package",
57+ "about.your.account",
58+ "acc(ou)?n?t (is )?on ho[li]d",
59+ "acc(ou)?n?t.*terminat",
60+ "acc(oun)?t.*[il1]{2}mitation",
61+ "access.*limitation",
62+ "account (will be )?block",
63+ "account.*de-?activat",
64+ "account.*locked",
65+ "account.*re-verification",
66+ "account.*security",
67+ "account.*suspension",
68+ "account.has.been",
69+ "account.has.expired",
70+ "account.will.be.blocked",
71+ "account v[il]o[li]at",
72+ "activity.*acc(oun)?t",
73+ "almost.full",
74+ "app[li]e.[il]d",
75+ "authenticate.*account",
76+ "been.*suspend",
77+ "clos.*of.*account.*processed",
78+ "confirm.your.account",
79+ "courier.*able",
80+ "crediential.*notif",
81+ "deactivation.*in.*progress",
82+ "delivery.*attempt.*failed",
83+ "document.(?:submitted|received)",
84+ "documented.*shared.*with.*you",
85+ "dropbox.*document",
86+ "e-?ma[il1]+ .{010}suspen",
87+ "e-?ma[il1]{1} user",
88+ "e-?ma[il1]{2} acc",
89+ "e-?ma[il1]{2}.*up.?grade",
90+ "e.?ma[il1]{2}.*server",
91+ "e.?ma[il1]{2}.*suspend",
92+ "email.update",
93+ "faxed you",
94+ "^final reminder: .*(?:overdue|resolve|access ends)",
95+ "fraud(ulent)?.*charge",
96+ "from.helpdesk",
97+ "fu[il1]{2}.*ma[il1]+[ -]?box",
98+ "has.been.*suspended",
99+ "has.been.limited",
100+ "have.locked",
101+ "he[li]p ?desk upgrade",
102+ "heipdesk",
103+ "i[il]iega[il]",
104+ "ii[il]ega[il]",
105+ "incoming e?mail",
106+ "incoming.*fax",
107+ "lock.*security",
108+ "ma[il1]{1}[ -]?box.*quo",
109+ "ma[il1]{2}[ -]?box.*fu[il1]",
110+ "ma[il1]{2}box.*[il1]{2}mit",
111+ "ma[il1]{2}box stor",
112+ "mail on.?hold",
113+ "mail.*box.*migration",
114+ "mail.*de-?activat",
115+ "mail.update.required",
116+ "mails.*pending",
117+ "messages.*pending",
118+ "missed.*shipping.*notification",
119+ "missed.shipment.notification",
120+ "must.update.your.account",
121+ "new [sl][io]g?[nig][ -]?in from",
122+ "new voice ?-?mail",
123+ "notifications.*pending",
124+ "office.*3.*6.*5.*suspend",
125+ "office365",
126+ "on google docs with you",
127+ "online doc",
128+ "password.*compromised",
129+ "periodic maintenance",
130+ "potential(ly)? unauthorized",
131+ "refund not approved",
132+ "revised.*policy",
133+ "scam",
134+ "scanned.?invoice",
135+ "secured?.update",
136+ "security breach",
137+ "securlty",
138+ "signed.*delivery",
139+ "status of your .{314}? ?delivery",
140+ "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
141+ "suspicious.*sign.*[io]n",
142+ "suspicious.activit",
143+ "temporar(il)?y deactivate",
144+ "temporar[il1]{2}y disab[li]ed",
145+ "temporarily.*lock",
146+ "un-?usua[li].activity",
147+ "unable.*deliver",
148+ "unauthorized.*activit",
149+ "unauthorized.device",
150+ "unauthorized.sign.?in",
151+ "unrecognized.*activit",
152+ "unrecognized.sign.?in",
153+ "unrecognized.*activit",
154+ "undelivered message",
155+ "unread.*doc",
156+ "unusual.activity",
157+ "upgrade.*account",
158+ "upgrade.notice",
159+ "urgent message",
160+ "urgent.verification",
161+ "v[il1]o[li1]at[il1]on security",
162+ "va[il1]{1}date.*ma[il1]{2}[ -]?box",
163+ "verification ?-?require",
164+ "verification( )?-?need",
165+ "verify.your?.account",
166+ "web ?-?ma[il1]{2}",
167+ "web[ -]?ma[il1]{2}",
168+ "will.be.suspended",
169+ "your (customer )?account .as",
170+ "your.office.365",
171+ "your.online.access",
172+
173+ // https://github.com/sublime-security/static-files/blob/main/suspicious_subjects.txt
174+ "account has been limited",
175+ "action required",
176+ "almost full",
177+ "apd notifi cation",
178+ "are you at your desk",
179+ "are you available",
180+ "attached file to docusign",
181+ "banking is temporarily unavailable",
182+ "bankofamerica",
183+ "closing statement invoice",
184+ "completed: docusign",
185+ "de-activation of",
186+ "delivery attempt",
187+ "delivery stopped for shipment",
188+ "detected suspicious",
189+ "detected suspicious actvity",
190+ "docu sign",
191+ "document for you",
192+ "document has been sent to you via docusign",
193+ "document is ready for signature",
194+ "docusign",
195+ "encrypted message",
196+ "failed delivery",
197+ "fedex tracking",
198+ "file was shared",
199+ "freefax",
200+ "fwd: due invoice paid",
201+ "has shared",
202+ "inbox is full",
203+ "invitation to comment",
204+ "invitation to edit",
205+ "invoice due",
206+ "left you a message",
207+ "message from",
208+ "new message",
209+ "new voicemail",
210+ "on desk",
211+ "out of space",
212+ "password reset",
213+ "payment status",
214+ "quick reply",
215+ "re: w-2",
216+ "required",
217+ "required: completed docusign",
218+ "ringcentral",
219+ "scanned image",
220+ "secured files",
221+ "secured pdf",
222+ "security alert",
223+ "new sign-in",
224+ "new sign in",
225+ "sign-in attempt",
226+ "sign in attempt",
227+ "staff review",
228+ "suspicious activity",
229+ "unrecognized login attempt",
230+ "upgrade immediately",
231+ "urgent",
232+ "wants to share",
233+ '\bw2\b',
234+ "you have notifications pending",
235+ "your account",
236+ "your amazon order",
237+ "your document settlement",
238+ "your order with amazon",
239+ "your password has been compromised",
240+ "ach? (?:payment|transfer|transaction)",
241+
242+ // cryptocurrency related subjects
243+ '\d{1,2}.\d{1,8}\s(BTC|ETH|SOL|(?:USD[CT])|XRP) Offer Waiting for(\sYour)?\sReview',
244+ )
245+
246+ // language attempting to engage
247+ and any(ml.nlu_classifier(body.current_thread.text).entities,
248+ .name == "request"
249+ )
250+
251+ // financial request
252+ and any(ml.nlu_classifier(body.current_thread.text).entities,
253+ .name == "financial"
254+ )
255+
256+ // urgency request
257+ and any(ml.nlu_classifier(body.current_thread.text).entities,
258+ .name in ("urgency", "greeting")
259+ )
260+
261+ // org presence
262+ and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org")
263+
264+ // not a reply
265+ and (
266+ not strings.istarts_with(subject.subject, "re:")
267+ and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
268+ or not length(headers.reply_to) > 0
269+ )
270+
271+ // the message is unsolicited and no false positives
272+ and (
273+ not profile.by_sender_email().solicited
274+ or (
275+ profile.by_sender().any_messages_malicious_or_spam
276+ and not profile.by_sender().any_messages_benign
277+ )
278+ or (
279+ profile.by_sender().any_messages_malicious_or_spam
280+ and profile.by_sender().any_messages_benign
281+ and (
282+ not headers.auth_summary.dmarc.pass or not headers.auth_summary.spf.pass
283+ )
284+ )
285+ )
286+
287+ // negate highly trusted sender domains unless they fail DMARC authentication
288+ and (
289+ (
290+ sender.email.domain.root_domain in $high_trust_sender_root_domains
291+ and not headers.auth_summary.dmarc.pass
292+ )
293+ or sender.email.domain.root_domain not in $high_trust_sender_root_domains
294+ )
295+
296+ // negation the only link is the senders email
297+ and not (
298+ regex.contains(body.current_thread.text,
299+ "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}"
300+ )
301+ and (
302+ all(body.links, .href_url.domain.root_domain == sender.email.domain.domain)
303+ )
304+ )
305+ attack_types :
306+ - " Credential Phishing"
307+ tactics_and_techniques :
308+ - " Impersonation: Brand"
309+ - " Social engineering"
310+ detection_methods :
311+ - " Content analysis"
312+ - " Header analysis"
313+ - " Natural Language Understanding"
314+ - " Sender analysis"
315+ id : " 0744a719-a433-5599-a45f-5047b35f8ea9"
316+ tags :
317+ - created_from_open_prs
318+ - rule_status_modified
319+ - pr_author_cybher0808
320+ references :
321+ - https://github.com/sublime-security/sublime-rules/pull/4519
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments