You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
name: "Cloud storage impersonation with credential theft indicators"
2
+
description: "Detects messages impersonating cloud storage services that contain hyperlinked images leading to free file hosts, where message screenshots reveal high-confidence credential theft language and storage-related urgency tactics."
3
+
type: "rule"
4
+
severity: "medium"
5
+
source: |
6
+
type.inbound
7
+
and length(body.current_thread.text) > 120
8
+
and (
9
+
0 < length(body.links) < 8
10
+
and any([subject.subject, sender.display_name],
11
+
regex.icontains(., "(?:cloud|storage|mailbox)")
12
+
)
13
+
)
14
+
and (
15
+
any(file.explode(beta.message_screenshot()),
16
+
any(ml.nlu_classifier(.scan.ocr.raw).intents,
17
+
.name == "cred_theft" and .confidence == "high"
18
+
)
19
+
and regex.icontains(.scan.ocr.raw,
20
+
"storage.{0,50}full",
21
+
"free.{0,50}upgrade",
22
+
"storage.{0,50}details",
23
+
"storage.{0,50}quot",
24
+
"(?:mailbox|cloud|account).{0,50}disabled",
25
+
"(?:email|cloud|total).{0,50}storage"
26
+
)
27
+
and not strings.ilike(.scan.ocr.raw, "*free plan*")
28
+
)
29
+
)
30
+
and (
31
+
any(body.links,
32
+
// fingerprints of a hyperlinked image
33
+
.display_text is null
34
+
and .display_url.url is null
35
+
and (
36
+
.href_url.domain.root_domain in $free_file_hosts
37
+
or .href_url.domain.root_domain == "beehiiv.com"
38
+
)
39
+
)
40
+
)
41
+
42
+
// and the sender is not from high trust sender root domains
43
+
and (
44
+
(
45
+
sender.email.domain.root_domain in $high_trust_sender_root_domains
46
+
and not headers.auth_summary.dmarc.pass
47
+
)
48
+
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments