[PR #3057] changed rule: Credential phishing: 'Secure message' and engaging language

github-actions[bot] · github-actions[bot] · commit 5ba61d917d89 · 2025-08-07T11:06:26.000Z
diff --git a/detection-rules/3057_link_credential_phishing_secure_message.yml b/detection-rules/3057_link_credential_phishing_secure_message.yml
@@ -0,0 +1,146 @@
+name: "Credential phishing: 'Secure message' and engaging language"
+description: |
+  Body contains language resembling credential theft, and a "secure message" from an untrusted sender.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).intents,
+        .name == "cred_theft" and .confidence == "high"
+    )
+    or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
+           .name == "cred_theft" and .confidence in ("medium", "high")
+    )
+  )
+  
+  // ----- other suspicious signals here -----
+  and (
+    (
+      regex.icontains(body.current_thread.text, "secure (message|directory)")
+      or strings.icontains(body.current_thread.text, "document portal")
+      or strings.icontains(body.current_thread.text, "encrypted message")
+      or strings.icontains(body.current_thread.text, "protected message")
+      or strings.icontains(body.current_thread.text, "secured by")
+    )
+    or any(body.previous_threads,
+           regex.icontains(.text, "secure (message|directory)")
+           or strings.icontains(.text, "document portal")
+           or strings.icontains(.text, "encrypted message")
+           or strings.icontains(.text, "protected message")
+           or strings.icontains(.text, "secured by")
+    )
+  )
+  // todo: automated display name / human local part
+  // todo: suspicious link (unfurl click trackers)
+  
+  // ----------
+  
+  // has at least 1 link
+  and length(body.links) > 0
+  
+  // negate legitimate message senders
+  and (
+    sender.email.domain.root_domain not in ("protectedtrust.com")
+    and any(body.links,
+            .href_url.domain.root_domain != sender.email.domain.root_domain
+    )
+    // Negate known secure mailer(s)
+    and not all(body.links,
+                .href_url.domain.root_domain in (
+                  "mimecast.com",
+                  "cisco.com",
+                  "csiesafe.com"
+                )
+    )
+    and any(headers.hops,
+            .index == 0
+            and not any(.fields,
+                        strings.contains(.value,
+                                         'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"'
+                        )
+            )
+    )
+    and not (
+      length(filter(attachments,
+                    strings.ilike(.file_name,
+                                  "logo.*",
+                                  "lock.gif",
+                                  "SecureMessageAtt.html"
+                    )
+             )
+      ) == 3
+      and any(attachments,
+              .file_type == "html"
+              and any(file.explode(.),
+                      .scan.html.title == "Proofpoint Encryption"
+                      and any(.scan.url.urls,
+                              strings.iends_with(.path,
+                                                 'formpostdir/safeformpost.aspx'
+                              )
+                      )
+              )
+              and strings.count(file.parse_html(.).raw, 'name="msg') > 3
+      )
+    )
+    and not (
+      any(headers.hops, any(.fields, .name == 'X-ZixNet'))
+      and any(headers.domains,
+              .root_domain in (
+                "zixport.com",
+                "zixcorp.com",
+                "zixmail.net",
+                "zixworks.com"
+              )
+      )
+    )
+    and not (
+      any(headers.hops, any(.fields, .name == 'X-SendInc-Message-Id'))
+      and any(headers.domains, .root_domain in ("sendinc.net"))
+    )
+    // negating Mimecast sends with MS banner and/or sender's email pulled out as a link
+    and not length(filter(body.links,
+                          (
+                            .display_text is null
+                            and .display_url.url == sender.email.domain.root_domain
+                          )
+                          or .href_url.domain.root_domain in (
+                            "aka.ms",
+                            "mimecast.com",
+                            "cisco.com"
+                          )
+                   )
+    ) == length(body.links)
+  )
+  and (
+    (
+      profile.by_sender().prevalence in ("new", "outlier")
+      and not profile.by_sender().solicited
+    )
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_messages_benign
+    )
+  )
+  and not profile.by_sender().any_messages_benign
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+detection_methods:
+  - "Natural Language Understanding"
+  - "Sender analysis"
+id: "0854fcc1-6b01-5231-aa50-0cc8610b9143"
+og_id: "bd95a7b1-dc96-53c1-bb7c-3a0f98b04744"
+testing_pr: 3057
+testing_sha: 64d9e4103935121a6e7dd8ac9c4e8ca8d238fa60
