High Severity
Link: Credential Phishing traversing Russian infrastructure
Description
This rule detects credential phishing attempts in emails traversing Russian TLDs by aggressively analyzing links for signs of phishing, including suspicious keywords, login prompts, or links flagged for credential theft, excluding emails from trusted domains unless they fail DMARC verification.
References
No references.
Sublime Security
Created Jul 19th, 2024 • Last updated Jul 19th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and any(headers.domains, .tld in ("ru", "su"))
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
and 0 < length(body.links) < 5
and any(body.links,
beta.linkanalysis(., mode="aggressive").credphish.disposition == "phishing"
or (
strings.icontains(beta.linkanalysis(., mode="aggressive").final_dom.raw,
"Pàsswórd"
)
and (
beta.linkanalysis(., mode="aggressive").credphish.contains_login
or beta.linkanalysis(.).credphish.contains_captcha
)
)
or beta.linkanalysis(., mode="aggressive").effective_url.domain.tld in $suspicious_tlds
)
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.