You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
name: "Cloud storage impersonation with credential theft indicators"
2
+
description: "Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics."
3
+
type: "rule"
4
+
severity: "medium"
5
+
source: |
6
+
type.inbound
7
+
and (
8
+
0 < length(body.links) < 8
9
+
and any([subject.subject, sender.display_name],
10
+
regex.icontains(., "cloud|storage|mailbox")
11
+
)
12
+
)
13
+
and (
14
+
any(file.explode(beta.message_screenshot()),
15
+
any(ml.nlu_classifier(.scan.ocr.raw).intents,
16
+
.name == "cred_theft" and .confidence == "high"
17
+
)
18
+
and regex.icontains(.scan.ocr.raw,
19
+
"storage.{0,50}full",
20
+
"free.{0,50}upgrade",
21
+
"storage.{0,50}details",
22
+
"storage.{0,50}quot",
23
+
"mailbox|cloud|account.{0,50}disabled",
24
+
"email|cloud|total.{0,50}storage"
25
+
)
26
+
and not strings.ilike(.scan.ocr.raw, "*free plan*")
27
+
)
28
+
)
29
+
and (
30
+
any(body.links,
31
+
// fingerprints of a hyperlinked image
32
+
.display_text is null
33
+
and .display_url.url is null
34
+
and (
35
+
.href_url.domain.root_domain in $free_file_hosts
36
+
or .href_url.domain.root_domain == "beehiiv.com"
37
+
)
38
+
)
39
+
)
40
+
41
+
// and the sender is not from high trust sender root domains
42
+
and (
43
+
(
44
+
sender.email.domain.root_domain in $high_trust_sender_root_domains
45
+
and not headers.auth_summary.dmarc.pass
46
+
)
47
+
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments