Medium Severity
X (Twitter) Impersonation with Credential Phishing motives
Description
This rule is designed to identify impersonation attempts by analyzing the display name or sender's local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com. Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging.
References
No references.
Sublime Security
Created Oct 19th, 2023 • Last updated Dec 16th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and sender.display_name =~ "x"
and sender.email.domain.root_domain not in ("twitter.com", "x.com")
and (
any(attachments,
.file_type in~ $file_types_images
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence != "low"
)
)
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
)
// sender profile is new or outlier
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
or sender.email.email in ("noreply@salesforce.com", "support@salesforce.com")
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
// salesforce has been abused for x/twitter phishing campaigns repeatedly
or sender.email.domain.root_domain == "salesforce.com"
)
Playground
Test against your own EMLs or sample data.