Medium Severity

Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender

Labels

Credential Phishing

Evasion

Social engineering

File analysis

Header analysis

Natural Language Understanding

Sender analysis

Description

This rule identifies messages with an RFC822 attachment contains language indicative of suspicious file-sharing activity. It checks both the original sender and the nested sender against highly trusted domains. The original message is unsolicited, and has not been previously flagged as a false positive.

References

No references.

Sublime Security

Created Apr 3rd, 2024 • Last updated Apr 3rd, 2024

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        .file_type == "unknown"
        and .content_type == "message/rfc822"
        and regex.contains(file.parse_eml(.).subject.subject,
                           '(shared.{0,30}with you|View Document)'
        )
        and 0 < length(file.parse_eml(.).body.links) < 10
        and file.parse_eml(.).sender.email.email not in $recipient_emails

        // exclude bounce backs & read receipts
        and not strings.like(file.parse_eml(.).sender.email.local_part,
                             "*postmaster*",
                             "*mailer-daemon*",
                             "*administrator*"
        )
        and not regex.imatch(file.parse_eml(.).subject.subject,
                             "(undeliverable|read:).*"
        )
        and not any(file.parse_eml(.).attachments,
                    .content_type == "message/delivery-status"
        )

        // negate highly trusted sender domains in the nested eml unless they fail DMARC
        and (
          (
            file.parse_eml(.).sender.email.domain.root_domain in $high_trust_sender_root_domains
            and (
              any(distinct(file.parse_eml(.).headers.hops,
                           .authentication_results.dmarc is not null
                  ),
                  strings.ilike(.authentication_results.dmarc, "*fail")
              )
            )
          )
          or file.parse_eml(.).sender.email.domain.root_domain not in $high_trust_sender_root_domains
        )
        // negate org domains that passed dmarc
        and not file.parse_eml(.).sender.email.domain.root_domain in $org_domains
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
and not profile.by_sender().any_false_positives

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.