detection.wiki

Detection rules › Sublime MQL

X (Twitter) impersonation with credential phishing motives

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

This rule is designed to identify impersonation attempts by analyzing the display name or sender's local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com. Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Social engineering

Event coverage

Message attribute
attachments (collection)
body.current_thread
headers.auth_summary
sender
sender.email
type

Rule body MQL

type.inbound
and sender.display_name =~ "x"
and sender.email.domain.root_domain not in ("twitter.com", "x.com")
and (
  any(attachments,
      .file_type in~ $file_types_images
      and any(file.explode(.),
              any(ml.nlu_classifier(.scan.ocr.raw).intents,
                  .name == "cred_theft" and .confidence != "low"
              )
      )
  )
  or any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "cred_theft" and .confidence != "low"
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains

  // salesforce has been abused for x/twitter phishing campaigns repeatedly 
  or sender.email.domain.root_domain == "salesforce.com"
)

Detection logic

Scope: inbound message.

This rule is designed to identify impersonation attempts by analyzing the display name or sender's local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com. Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging.

  1. inbound message
  2. sender.display_name is 'x'
  3. sender.email.domain.root_domain not in ('twitter.com', 'x.com')
  4. any of:
    • any of attachments where all hold:
      • .file_type in $file_types_images
      • any of file.explode(.) where:
        • any of ml.nlu_classifier(.scan.ocr.raw).intents where all hold:
          • .name is 'cred_theft'
          • .confidence is not 'low'
    • any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
      • .name is 'cred_theft'
      • .confidence is not 'low'
  5. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
    • sender.email.domain.root_domain is 'salesforce.com'

Inspects: attachments[].file_type, body.current_thread.text, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.root_domain, type.inbound. Sensors: file.explode, ml.nlu_classifier. Reference lists: $file_types_images, $high_trust_sender_root_domains.

Indicators matched (6)

FieldMatchValue
sender.display_nameequalsx
sender.email.domain.root_domainmembertwitter.com
sender.email.domain.root_domainmemberx.com
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].nameequalscred_theft
ml.nlu_classifier(body.current_thread.text).intents[].nameequalscred_theft
sender.email.domain.root_domainequalssalesforce.com