Credential phishing: Engaging language and other indicators (untrusted sender)

Severity: medium
Type: rule
Source: github.com/sublime-security/sublime-rules

Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing
Tactics and techniques	Free email provider, Social engineering

Event coverage

Message attribute
attachments (collection)
body
body.current_thread
body.ips (collection)
body.links (collection)
headers (collection)
headers.auth_summary
headers.return_path
recipients
recipients.to (collection)
sender
sender.email
subject
type

Rule body MQL

type.inbound
and (
  regex.icontains(subject.subject,
                  "termination.*notice",
                  "38417",
                  ":completed",
                  "[il1]{2}mit.*ma[il1]{2} ?bo?x",
                  "[il][il][il]egai[ -]",
                  "[li][li][li]ega[li] attempt",
                  "[ng]-?[io]n .*block",
                  "[ng]-?[io]n .*cancel",
                  "[ng]-?[io]n .*deactiv",
                  "[ng]-?[io]n .*disabl",
                  "action.*required",
                  "abandon.*package",
                  "about.your.account",
                  "acc(ou)?n?t (is )?on ho[li]d",
                  "acc(ou)?n?t.*terminat",
                  "acc(oun)?t.*[il1]{2}mitation",
                  "access.*limitation",
                  "account (will be )?block",
                  "account.*de-?activat",
                  "account.*locked",
                  "account.*re-verification",
                  "account.*security",
                  "account.*suspension",
                  "account.has.expired",
                  "account.will.be.blocked",
                  "account v[il]o[li]at",
                  "activity.*acc(oun)?t",
                  "almost.full",
                  "app[li]e.[il]d",
                  "authenticate.*account",
                  "been.*suspend",
                  "crediential.*notif",
                  "clos.*of.*account.*processed",
                  "confirm.your.account",
                  "courier.*able",
                  "crediential.*notif",
                  "deactivation.*in.*progress",
                  "delivery.*attempt.*failed",
                  "disconnection.*notice",
                  "document.received",
                  "documented.*shared.*with.*you",
                  "dropbox.*document",
                  "e-?ma[il1]+ .{010}suspen",
                  "e-?ma[il1]{1} user",
                  "e-?ma[il1]{2} acc",
                  "e-?ma[il1]{2} preview",
                  "e-?ma[il1]{2}.*up.?grade",
                  "e.?ma[il1]{2}.*server",
                  "e.?ma[il1]{2}.*suspend",
                  "email.update",
                  "faxed you",
                  "fraud(ulent)?.*charge",
                  "from.helpdesk",
                  "fu[il1]{2}.*ma[il1]+[ -]?box",
                  "has.been.*suspended",
                  "has.been.limited",
                  "have.locked",
                  "he[li]p ?desk upgrade",
                  "heipdesk",
                  "i[il]iega[il]",
                  "ii[il]ega[il]",
                  "incoming e?mail",
                  "incoming.*fax",
                  "lock.*security",
                  "ma[il1]{1}[ -]?box.*quo",
                  "ma[il1]{2}[ -]?box.*fu[il1]",
                  "ma[il1]{2}box.*[il1]{2}mit",
                  "ma[il1]{2}box stor",
                  "mail on.?hold",
                  "mail.*box.*migration",
                  "mail.*de-?activat",
                  "mail.update.required",
                  "mails.*pending",
                  "messages.*pending",
                  "missed.*shipping.*notification",
                  "missed.shipment.notification",
                  "must.update.your.account",
                  "new [sl][io]g?[nig][ -]?in from",
                  "new voice ?-?mail",
                  "notifications.*pending",
                  "office.*3.*6.*5.*suspend",
                  "office365",
                  "on google docs with you",
                  "online doc",
                  "password.*compromised",
                  "(?:payroll|salary|bonus).*Distribution",
                  "periodic maintenance",
                  "potential(ly)? unauthorized",
                  "refund not approved",
                  "report",
                  "revised.*policy",
                  "scam",
                  "scanned.?invoice",
                  "secured?.update",
                  "security breach",
                  "securlty",
                  "signed.*delivery",
                  "status of your .{314}? ?delivery",
                  "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
                  "suspicious.*sign.*[io]n",
                  "suspicious.activit",
                  "temporar(il)?y deactivate",
                  "temporar[il1]{2}y disab[li]ed",
                  "temporarily.*lock",
                  "un-?usua[li].activity",
                  "unable.*deliver",
                  "unauthorized.*activit",
                  "unauthorized.device",
                  "undelivered message",
                  "unread.*doc",
                  "unusual.activity",
                  "(?:unrecognized|Unusual|suspicious|unknown) (?:log|sign).?[io]n attempt",
                  "upgrade.*account",
                  "upgrade.notice",
                  "urgent message",
                  "urgent.verification",
                  "v[il1]o[li1]at[il1]on security",
                  "va[il1]{1}date.*ma[il1]{2}[ -]?box",
                  "verification ?-?require",
                  "verification( )?-?need",
                  "verify.your?.account",
                  "web ?-?ma[il1]{2}",
                  "web[ -]?ma[il1]{2}",
                  "will.be.suspended",
                  "your (customer )?account .as",
                  "your.office.365",
                  "your.online.access",
                  "de.activation",
                  "attn_task",
                  // https://github.com/sublime-security/static-files/blob/main/suspicious_subjects.txt
                  "account has been limited",
                  "action required",
                  "almost full",
                  "apd notifi cation",
                  "are you at your desk",
                  "are you available",
                  "attached file to docusign",
                  "banking is temporarily unavailable",
                  "bankofamerica",
                  "closing statement invoice",
                  "completed: docusign",
                  "de-activation of",
                  "delivery attempt",
                  "delivery stopped for shipment",
                  "detected suspicious",
                  "detected suspicious actvity",
                  "docu sign",
                  "document for you",
                  "document has been sent to you via docusign",
                  "document is ready for signature",
                  "docusign",
                  "encrypted message",
                  "failed delivery",
                  "fedex tracking",
                  "file was shared",
                  "freefax",
                  "fwd: due invoice paid",
                  "has shared",
                  "inbox is full",
                  "invitation to comment",
                  "invitation to edit",
                  "invoice due",
                  "left you a message",
                  "message from",
                  "new message",
                  "new voicemail",
                  "on desk",
                  "out of space",
                  "password reset",
                  "payment status",
                  "pay notification",
                  "quick reply",
                  "re: w-2",
                  "required",
                  "required: completed docusign",
                  "remittance",
                  "ringcentral",
                  "scanned image",
                  "secured files",
                  "secured pdf",
                  "security alert",
                  "new sign-in",
                  "new sign in",
                  "sign-in attempt",
                  "sign in attempt",
                  "staff review",
                  "suspicious activity",
                  "unrecognized login attempt",
                  "unusual signin",
                  "upgrade immediately",
                  "urgent",
                  "wants to share",
                  "w2",
                  "you have notifications pending",
                  "your account",
                  "your amazon order",
                  "your document settlement",
                  "your order with amazon",
                  "your password has been compromised",
  )
  or (
    regex.icontains(subject.subject, 'account.has.been')
    and not regex.icontains(subject.subject, 'account.has.been.*created')
  )
  or (
    regex.icontains(sender.display_name,
                    "Admin",
                    "Administrator",
                    "Alert",
                    "Assistant",
                    "Authenticat(or|ion)",
                    "Billing",
                    "Benefits",
                    "Bonus",
                    "CEO",
                    "CFO",
                    "CIO",
                    "CTO",
                    "Chairman",
                    "Claim",
                    "Confirm",
                    "Cpanel Mail",
                    "Critical",
                    "Customer Service",
                    "Deal",
                    "Discount",
                    "Director",
                    "Exclusive",
                    "Executive",
                    "Fax",
                    "Free",
                    "Gift",
                    '\bHR\b',
                    "Helpdesk",
                    "Human Resources",
                    "Immediate",
                    "Important",
                    "Info",
                    "Information",
                    "Invoice",
                    '\bIT\b',
                    '\bLegal\b',
                    "Lottery",
                    "Management",
                    "Manager",
                    "Member Services",
                    "Notification",
                    "Offer",
                    "Official Communication",
                    "Operations",
                    "Order",
                    "Partner",
                    "Payment",
                    "Payroll",
                    "Postmaster",
                    "President",
                    "Premium",
                    "Prize",
                    "Receipt",
                    "Refund",
                    "Registrar",
                    "Required",
                    "Reward",
                    "Sales",
                    "Secretary",
                    "Security",
                    "Server",
                    "Service",
                    "Storage",
                    "Support",
                    "Sweepstakes",
                    "System",
                    "Tax",
                    "Tech Support",
                    "Update",
                    "Upgrade",
                    "Urgent",
                    "Validate",
                    "Verify",
                    "VIP",
                    "Webmaster",
                    "Winner",
                    "DocReq\\b"
    )
    // add negation for common FPs in the sender display_name
    and not strings.icontains(sender.display_name, "service bulletin")
    and not strings.icontains(sender.display_name, "automotive service")
  )
)
and (
  4 of (
    any(recipients.to,
        .email.domain.valid
        and (
          strings.icontains(body.current_thread.text, .email.email)
          or strings.icontains(body.current_thread.text, .email.local_part)
        )
    ),
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence in ("medium", "high")
    ),
    any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "request"
    ),
    // recipient email address base64 encoded in link
    any(body.links,
        any(recipients.to,
            any(beta.scan_base64(..href_url.url,
                                 ignore_padding=true,
                                 format="url"
                ),
                strings.icontains(., ..email.email)
            )
        )
    ),
    (
      // freemail providers should never be sending this type of email
      sender.email.domain.domain in $free_email_providers

      // if not freemail, it's suspicious if the sender's root domain
      // doesn't match any links in the body
      or all(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
             and (
               .href_url.domain.root_domain not in $org_domains
               // ignore recipient email addresses in the body in relation to this check
               or (
                 .href_url.domain.root_domain in $org_domains
                 and any(recipients.to,
                         strings.icount(body.current_thread.text, .email.email) == strings.icount(body.current_thread.text,
                                                                                                  .email.domain.domain
                         )
                 )
               )
             )
      )

      // bulk mailers should also never be sending this type of email
      or all(filter(body.links,
                    .href_url.domain.domain not in (
                      "aka.ms",
                      "mimecast.com",
                      "mimecastprotect.com",
                      "cisco.com"
                    )
             ),
             .href_url.domain.root_domain in $bulk_mailer_url_root_domains
      )
    ),
    // in case it's embedded in an image attachment
    // note: don't use message_screenshot() because it's not limited to current_thread
    // and may FP
    any(attachments,
        .file_type in $file_types_images
        and any(file.explode(.),
                any(ml.nlu_classifier(.scan.ocr.raw).intents,
                    .name == "cred_theft" and .confidence == "high"
                )
        )
    ),
    strings.contains(body.current_thread.text,
                     "Your mailbox can no longer send or receive messages."
    ),
    any(body.links,
        strings.icontains(.href_url.query_params, 'redirect')
        or any(.href_url.rewrite.encoders,
               strings.icontains(., "open_redirect")
        )
    ),
    // multiple entities displaying urgency
    length(filter(ml.nlu_classifier(body.current_thread.text).entities,
                  .name == "urgency"
           )
    ) >= 2
    // and any body links
    and any(body.links,
            // display text contains a request
            any(ml.nlu_classifier(.display_text).entities, .name == "request")
    ),
    any(body.links,
        // display text contains a request
        (
          any(ml.nlu_classifier(.display_text).entities, .name == "request")
          or regex.match(.display_text, '^[^a-z]+$')
        )
        and (
          .href_url.domain.domain in $url_shorteners
          or .href_url.domain.domain in $social_landing_hosts
          or .href_url.domain.root_domain in $url_shorteners
          or .href_url.domain.root_domain in $social_landing_hosts
          or .href_url.domain.domain in $free_file_hosts
          or (
            .href_url.domain.root_domain in (
              "mimecast.com",
              "mimecastprotect.com"
            )
            and any(.href_url.query_params_decoded['domain'],
                    strings.parse_url(strings.concat("https://", .)).domain.domain in $url_shorteners
                    or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $url_shorteners
                    or strings.parse_url(strings.concat("https://", .)).domain.domain in $free_file_hosts
                    or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $free_subdomain_hosts
                    or strings.parse_url(strings.concat("https://", .)).domain.domain in $social_landing_hosts
                    or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $social_landing_hosts
            )
          )
        )
    ),
    // common greetings via email.local_part
    any(recipients.to,
        length(.email.local_part) > 2
        and 
        // use count to ensure the email address is not part of a disclaimer
        strings.icount(body.current_thread.text, .email.local_part) > 
        // sum allows us to add more logic as needed
        strings.icount(body.current_thread.text,
                       strings.concat('was sent to ', .email.email)
        ) + strings.icount(body.current_thread.text,
                           strings.concat('intended for ', .email.email)
        )
    )
  )
  or (
    (
      // recipient's email address is in the body
      any(recipients.to,
          // use count to ensure the email address is not part of a disclaimer
          strings.icount(body.current_thread.text, .email.email) > 
          // sum allows us to add more logic as needed
          sum([
                strings.icount(body.current_thread.text,
                               strings.concat('was sent to ', .email.email)
                ),
                strings.icount(body.current_thread.text,
                               strings.concat('intended for ', .email.email)
                )
              ]
          )
      )
      // suspicious display text
      or (
        length(body.links) == 1
        and all(body.links,
                strings.ilike(.display_text, "*click here*", "*password*")
        )
      )
    )
    // link leads to a suspicious TLD or contains an IP address or contains multiple redirects
    and any(body.links,
            (
              ml.link_analysis(., mode="aggressive").effective_url.domain.tld in $suspicious_tlds
              or length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history,
                                     .domain.root_domain
                                 )
                        )
              ) >= 4
              or (
                any(body.ips,
                    any(body.links, strings.icontains(.href_url.url, ..ip))
                )
              )
            )
    )
  )
)
// exclude Google shared calendar messages
// Subject: "<sender name> has shared a calendar with you"
and headers.return_path.domain.domain != "calendar-server.bounces.google.com"
// negate calendar invites
and not (
  0 < length(attachments) < 3
  and all(attachments, .content_type in ("text/calendar", "application/ics"))
)
// negate replies
and (
  (
    (length(headers.references) > 0 or headers.in_reply_to is null)
    and not (
      (
        strings.istarts_with(subject.subject, "RE:")
        or strings.istarts_with(subject.subject, "R:")
        or strings.istarts_with(subject.subject, "ODG:")
        or strings.istarts_with(subject.subject, "答复:")
        or strings.istarts_with(subject.subject, "AW:")
        or strings.istarts_with(subject.subject, "TR:")
        or strings.istarts_with(subject.subject, "FWD:")
        or regex.icontains(subject.subject,
                           '^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
        )
      )
    )
  )
  or length(headers.references) == 0
)
// bounce-back and DMARC report negations
and not (
  strings.like(sender.email.local_part,
               "*postmaster*",
               "*mailer-daemon*",
               "*administrator*"
  )
  and (
    any(attachments,
        .content_type in (
          "message/rfc822",
          "message/delivery-status",
          "text/calendar"
        )
    )
    or (
      length(attachments) == 1
      and all(attachments, .content_type in ("application/gzip"))
      and regex.icontains(subject.subject,
                          '(?:(Report\sDomain).*(Submitter).*(Report-ID))'
      )
    )
  )
)
and (
  (
    profile.by_sender().prevalence != "common"
    and not profile.by_sender_email().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// FP avoidance
and not any(beta.ml_topic(body.current_thread.text).topics,
            .name in (
              "Advertising and Promotions",
              "Political Mail",
              "News and Current Events",
              "Newsletters and Digests"
            )
            and .confidence == "high"
)

Detection logic

Scope: inbound message.

Message contains various suspicious indicators as well as engaging language resembling credential theft from an untrusted sender.

inbound message
any of:
- subject.subject matches any of 198 patterns
  - termination.*notice
  - 38417
  - :completed
  - [il1]{2}mit.*ma[il1]{2} ?bo?x
  - [il][il][il]egai[ -]
  - [li][li][li]ega[li] attempt
  - [ng]-?[io]n .*block
  - [ng]-?[io]n .*cancel
  - [ng]-?[io]n .*deactiv
  - [ng]-?[io]n .*disabl
  - action.*required
  - abandon.*package
  - about.your.account
  - acc(ou)?n?t (is )?on ho[li]d
  - acc(ou)?n?t.*terminat
  - acc(oun)?t.*[il1]{2}mitation
  - access.*limitation
  - account (will be )?block
  - account.*de-?activat
  - account.*locked
  - account.*re-verification
  - account.*security
  - account.*suspension
  - account.has.expired
  - account.will.be.blocked
  - account v[il]o[li]at
  - activity.*acc(oun)?t
  - almost.full
  - app[li]e.[il]d
  - authenticate.*account
  - been.*suspend
  - crediential.*notif
  - clos.*of.*account.*processed
  - confirm.your.account
  - courier.*able
  - crediential.*notif
  - deactivation.*in.*progress
  - delivery.*attempt.*failed
  - disconnection.*notice
  - document.received
  - documented.*shared.*with.*you
  - dropbox.*document
  - e-?ma[il1]+ .{010}suspen
  - e-?ma[il1]{1} user
  - e-?ma[il1]{2} acc
  - e-?ma[il1]{2} preview
  - e-?ma[il1]{2}.*up.?grade
  - e.?ma[il1]{2}.*server
  - e.?ma[il1]{2}.*suspend
  - email.update
  - faxed you
  - fraud(ulent)?.*charge
  - from.helpdesk
  - fu[il1]{2}.*ma[il1]+[ -]?box
  - has.been.*suspended
  - has.been.limited
  - have.locked
  - he[li]p ?desk upgrade
  - heipdesk
  - i[il]iega[il]
  - ii[il]ega[il]
  - incoming e?mail
  - incoming.*fax
  - lock.*security
  - ma[il1]{1}[ -]?box.*quo
  - ma[il1]{2}[ -]?box.*fu[il1]
  - ma[il1]{2}box.*[il1]{2}mit
  - ma[il1]{2}box stor
  - mail on.?hold
  - mail.*box.*migration
  - mail.*de-?activat
  - mail.update.required
  - mails.*pending
  - messages.*pending
  - missed.*shipping.*notification
  - missed.shipment.notification
  - must.update.your.account
  - new [sl][io]g?[nig][ -]?in from
  - new voice ?-?mail
  - notifications.*pending
  - office.*3.*6.*5.*suspend
  - office365
  - on google docs with you
  - online doc
  - password.*compromised
  - (?:payroll|salary|bonus).*Distribution
  - periodic maintenance
  - potential(ly)? unauthorized
  - refund not approved
  - report
  - revised.*policy
  - scam
  - scanned.?invoice
  - secured?.update
  - security breach
  - securlty
  - signed.*delivery
  - status of your .{314}? ?delivery
  - susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty
  - suspicious.*sign.*[io]n
  - suspicious.activit
  - temporar(il)?y deactivate
  - temporar[il1]{2}y disab[li]ed
  - temporarily.*lock
  - un-?usua[li].activity
  - unable.*deliver
  - unauthorized.*activit
  - unauthorized.device
  - undelivered message
  - unread.*doc
  - unusual.activity
  - (?:unrecognized|Unusual|suspicious|unknown) (?:log|sign).?[io]n attempt
  - upgrade.*account
  - upgrade.notice
  - urgent message
  - urgent.verification
  - v[il1]o[li1]at[il1]on security
  - va[il1]{1}date.*ma[il1]{2}[ -]?box
  - verification ?-?require
  - verification( )?-?need
  - verify.your?.account
  - web ?-?ma[il1]{2}
  - web[ -]?ma[il1]{2}
  - will.be.suspended
  - your (customer )?account .as
  - your.office.365
  - your.online.access
  - de.activation
  - attn_task
  - account has been limited
  - action required
  - almost full
  - apd notifi cation
  - are you at your desk
  - are you available
  - attached file to docusign
  - banking is temporarily unavailable
  - bankofamerica
  - closing statement invoice
  - completed: docusign
  - de-activation of
  - delivery attempt
  - delivery stopped for shipment
  - detected suspicious
  - detected suspicious actvity
  - docu sign
  - document for you
  - document has been sent to you via docusign
  - document is ready for signature
  - docusign
  - encrypted message
  - failed delivery
  - fedex tracking
  - file was shared
  - freefax
  - fwd: due invoice paid
  - has shared
  - inbox is full
  - invitation to comment
  - invitation to edit
  - invoice due
  - left you a message
  - message from
  - new message
  - new voicemail
  - on desk
  - out of space
  - password reset
  - payment status
  - pay notification
  - quick reply
  - re: w-2
  - required
  - required: completed docusign
  - remittance
  - ringcentral
  - scanned image
  - secured files
  - secured pdf
  - security alert
  - new sign-in
  - new sign in
  - sign-in attempt
  - sign in attempt
  - staff review
  - suspicious activity
  - unrecognized login attempt
  - unusual signin
  - upgrade immediately
  - urgent
  - wants to share
  - w2
  - you have notifications pending
  - your account
  - your amazon order
  - your document settlement
  - your order with amazon
  - your password has been compromised
- all of:
  - subject.subject matches 'account.has.been'
  - not:
    
    subject.subject matches 'account.has.been.*created'
- all of:
  - sender.display_name matches any of 77 patterns
    
    Admin
    Administrator
    Alert
    Assistant
    Authenticat(or|ion)
    Billing
    Benefits
    Bonus
    CEO
    CFO
    CIO
    CTO
    Chairman
    Claim
    Confirm
    Cpanel Mail
    Critical
    Customer Service
    Deal
    Discount
    Director
    Exclusive
    Executive
    Fax
    Free
    Gift
    \bHR\b
    Helpdesk
    Human Resources
    Immediate
    Important
    Info
    Information
    Invoice
    \bIT\b
    \bLegal\b
    Lottery
    Management
    Manager
    Member Services
    Notification
    Offer
    Official Communication
    Operations
    Order
    Partner
    Payment
    Payroll
    Postmaster
    President
    Premium
    Prize
    Receipt
    Refund
    Registrar
    Required
    Reward
    Sales
    Secretary
    Security
    Server
    Service
    Storage
    Support
    Sweepstakes
    System
    Tax
    Tech Support
    Update
    Upgrade
    Urgent
    Validate
    Verify
    VIP
    Webmaster
    Winner
    DocReq\\b
  - not:
    
    sender.display_name contains 'service bulletin'
  - not:
    
    sender.display_name contains 'automotive service'
any of:
- at least 4 of:
  - any of recipients.to where all hold:
    
    .email.domain.valid
    any of:
    
    strings.icontains(body.current_thread.text)
    strings.icontains(body.current_thread.text)
  - any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
    
    .name is 'cred_theft'
    .confidence in ('medium', 'high')
  - any of ml.nlu_classifier(body.current_thread.text).entities where:
    
    .name is 'request'
  - any of body.links where:
    
    any of recipients.to where:
    
    any of beta.scan_base64(.href_url.url) where:
    
    strings.icontains(.)
  - any of:
    
    sender.email.domain.domain in $free_email_providers
    all of body.links where all hold:
    
    .href_url.domain.root_domain is not sender.email.domain.root_domain
    any of:
    
    .href_url.domain.root_domain not in $org_domains
    all of:
    
    .href_url.domain.root_domain in $org_domains
    any of recipients.to where:
    
    strings.icount(body.current_thread.text) is strings.icount(body.current_thread.text, .email.domain.domain)
    all of filter(body.links) where:
    
    .href_url.domain.root_domain in $bulk_mailer_url_root_domains
  - any of attachments where all hold:
    
    .file_type in $file_types_images
    any of file.explode(.) where:
    
    any of ml.nlu_classifier(.scan.ocr.raw).intents where all hold:
    
    .name is 'cred_theft'
    .confidence is 'high'
  - body.current_thread.text contains 'Your mailbox can no longer send or receive messages.'
  - any of body.links where any holds:
    
    .href_url.query_params contains 'redirect'
    any of .href_url.rewrite.encoders where:
    
    . contains 'open_redirect'
  - all of:
    
    length(filter(ml.nlu_classifier(body.current_thread.text).entities, .name == 'urgency')) ≥ 2
    any of body.links where:
    
    any of ml.nlu_classifier(.display_text).entities where:
    
    .name is 'request'
  - any of body.links where all hold:
    
    any of:
    
    any of ml.nlu_classifier(.display_text).entities where:
    
    .name is 'request'
    .display_text matches '^[^a-z]+$'
    any of:
    
    .href_url.domain.domain in $url_shorteners
    .href_url.domain.domain in $social_landing_hosts
    .href_url.domain.root_domain in $url_shorteners
    .href_url.domain.root_domain in $social_landing_hosts
    .href_url.domain.domain in $free_file_hosts
    all of:
    
    .href_url.domain.root_domain in ('mimecast.com', 'mimecastprotect.com')
    any of .href_url.query_params_decoded['domain'] where any holds:
    
    strings.parse_url(strings.concat('https://', .)).domain.domain in $url_shorteners
    strings.parse_url(strings.concat('https://', .)).domain.root_domain in $url_shorteners
    strings.parse_url(strings.concat('https://', .)).domain.domain in $free_file_hosts
    strings.parse_url(strings.concat('https://', .)).domain.root_domain in $free_subdomain_hosts
    strings.parse_url(strings.concat('https://', .)).domain.domain in $social_landing_hosts
    strings.parse_url(strings.concat('https://', .)).domain.root_domain in $social_landing_hosts
  - any of recipients.to where all hold:
    
    length(.email.local_part) > 2
    strings.icount(body.current_thread.text) > strings.icount(body.current_thread.text) + strings.icount(body.current_thread.text)
- all of:
  - any of:
    
    any of recipients.to where:
    
    strings.icount(body.current_thread.text) > sum([strings.icount(body.current_thread.text, strings.concat('was sent to ', .email.email)), strings.icount(body.current_thread.text, strings.concat('intended for ', .email.email))])
    all of:
    
    length(body.links) is 1
    all of body.links where:
    
    .display_text matches any of 2 patterns
    
    *click here*
    *password*
  - any of body.links where any holds:
    
    ml.link_analysis(.).effective_url.domain.tld in $suspicious_tlds
    length(distinct(map(ml.link_analysis(., mode='aggressive').redirect_history, .domain.root_domain))) ≥ 4
    any of body.ips where:
    
    any of body.links where:
    
    strings.icontains(.href_url.url)
headers.return_path.domain.domain is not 'calendar-server.bounces.google.com'
not:
- all of:
  - all of:
    
    length(attachments) > 0
    length(attachments) < 3
  - all of attachments where:
    
    .content_type in ('text/calendar', 'application/ics')
any of:
- all of:
  - any of:
    
    length(headers.references) > 0
    headers.in_reply_to is missing
  - none of:
    
    subject.subject starts with 'RE:'
    subject.subject starts with 'R:'
    subject.subject starts with 'ODG:'
    subject.subject starts with '答复:'
    subject.subject starts with 'AW:'
    subject.subject starts with 'TR:'
    subject.subject starts with 'FWD:'
    subject.subject matches '^(\\[[^\\]]+\\]\\s?){0,3}(re|fwd?)\\s?:'
- length(headers.references) is 0
not:
- all of:
  - sender.email.local_part matches any of 3 patterns
    
    *postmaster*
    *mailer-daemon*
    *administrator*
  - any of:
    
    any of attachments where:
    
    .content_type in ('message/rfc822', 'message/delivery-status', 'text/calendar')
    all of:
    
    length(attachments) is 1
    all of attachments where:
    
    .content_type in ('application/gzip')
    subject.subject matches '(?:(Report\\sDomain).*(Submitter).*(Report-ID))'
any of:
- all of:
  - profile.by_sender().prevalence is not 'common'
  - not:
    
    profile.by_sender_email().solicited
- all of:
  - profile.by_sender().any_messages_malicious_or_spam
  - not:
    
    profile.by_sender().any_messages_benign
any of:
- all of:
  - sender.email.domain.root_domain in $high_trust_sender_root_domains
  - not:
    
    headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
not:
- any of beta.ml_topic(body.current_thread.text).topics where all hold:
  - .name in ('Advertising and Promotions', 'Political Mail', 'News and Current Events', 'Newsletters and Digests')
  - .confidence is 'high'

Inspects: attachments[].content_type, attachments[].file_type, body.current_thread.text, body.ips, body.ips[].ip, body.links, body.links[].display_text, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, body.links[].href_url.query_params, body.links[].href_url.query_params_decoded['domain'], body.links[].href_url.rewrite.encoders, body.links[].href_url.url, headers.auth_summary.dmarc.pass, headers.in_reply_to, headers.references, headers.return_path.domain.domain, recipients.to, recipients.to[].email.domain.domain, recipients.to[].email.domain.valid, recipients.to[].email.email, recipients.to[].email.local_part, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, sender.email.local_part, subject.subject, type.inbound. Sensors: beta.ml_topic, beta.scan_base64, file.explode, ml.link_analysis, ml.nlu_classifier, profile.by_sender, profile.by_sender_email, regex.icontains, regex.match, strings.concat, strings.contains, strings.icontains, strings.icount, strings.ilike, strings.istarts_with, strings.like, strings.parse_url. Reference lists: $bulk_mailer_url_root_domains, $file_types_images, $free_email_providers, $free_file_hosts, $free_subdomain_hosts, $high_trust_sender_root_domains, $org_domains, $social_landing_hosts, $suspicious_tlds, $url_shorteners.

Indicators matched (320)

Field	Match	Value
`regex.icontains`	regex	`termination.*notice`
`regex.icontains`	regex	`38417`
`regex.icontains`	regex	`:completed`
`regex.icontains`	regex	`[il1]{2}mit.*ma[il1]{2} ?bo?x`
`regex.icontains`	regex	`[il][il][il]egai[ -]`
`regex.icontains`	regex	`[li][li][li]ega[li] attempt`
`regex.icontains`	regex	`[ng]-?[io]n .*block`
`regex.icontains`	regex	`[ng]-?[io]n .*cancel`
`regex.icontains`	regex	`[ng]-?[io]n .*deactiv`
`regex.icontains`	regex	`[ng]-?[io]n .*disabl`
`regex.icontains`	regex	`action.*required`
`regex.icontains`	regex	`abandon.*package`

308 more

`regex.icontains`	regex	`about.your.account`
`regex.icontains`	regex	`acc(ou)?n?t (is )?on ho[li]d`
`regex.icontains`	regex	`acc(ou)?n?t.*terminat`
`regex.icontains`	regex	`acc(oun)?t.*[il1]{2}mitation`
`regex.icontains`	regex	`access.*limitation`
`regex.icontains`	regex	`account (will be )?block`
`regex.icontains`	regex	`account.*de-?activat`
`regex.icontains`	regex	`account.*locked`
`regex.icontains`	regex	`account.*re-verification`
`regex.icontains`	regex	`account.*security`
`regex.icontains`	regex	`account.*suspension`
`regex.icontains`	regex	`account.has.expired`
`regex.icontains`	regex	`account.will.be.blocked`
`regex.icontains`	regex	`account v[il]o[li]at`
`regex.icontains`	regex	`activity.*acc(oun)?t`
`regex.icontains`	regex	`almost.full`
`regex.icontains`	regex	`app[li]e.[il]d`
`regex.icontains`	regex	`authenticate.*account`
`regex.icontains`	regex	`been.*suspend`
`regex.icontains`	regex	`crediential.*notif`
`regex.icontains`	regex	`clos.of.account.*processed`
`regex.icontains`	regex	`confirm.your.account`
`regex.icontains`	regex	`courier.*able`
`regex.icontains`	regex	`deactivation.in.progress`
`regex.icontains`	regex	`delivery.attempt.failed`
`regex.icontains`	regex	`disconnection.*notice`
`regex.icontains`	regex	`document.received`
`regex.icontains`	regex	`documented.shared.with.*you`
`regex.icontains`	regex	`dropbox.*document`
`regex.icontains`	regex	`e-?ma[il1]+ .{010}suspen`
`regex.icontains`	regex	`e-?ma[il1]{1} user`
`regex.icontains`	regex	`e-?ma[il1]{2} acc`
`regex.icontains`	regex	`e-?ma[il1]{2} preview`
`regex.icontains`	regex	`e-?ma[il1]{2}.*up.?grade`
`regex.icontains`	regex	`e.?ma[il1]{2}.*server`
`regex.icontains`	regex	`e.?ma[il1]{2}.*suspend`
`regex.icontains`	regex	`email.update`
`regex.icontains`	regex	`faxed you`
`regex.icontains`	regex	`fraud(ulent)?.*charge`
`regex.icontains`	regex	`from.helpdesk`
`regex.icontains`	regex	`fu[il1]{2}.*ma[il1]+[ -]?box`
`regex.icontains`	regex	`has.been.*suspended`
`regex.icontains`	regex	`has.been.limited`
`regex.icontains`	regex	`have.locked`
`regex.icontains`	regex	`he[li]p ?desk upgrade`
`regex.icontains`	regex	`heipdesk`
`regex.icontains`	regex	`i[il]iega[il]`
`regex.icontains`	regex	`ii[il]ega[il]`
`regex.icontains`	regex	`incoming e?mail`
`regex.icontains`	regex	`incoming.*fax`
`regex.icontains`	regex	`lock.*security`
`regex.icontains`	regex	`ma[il1]{1}[ -]?box.*quo`
`regex.icontains`	regex	`ma[il1]{2}[ -]?box.*fu[il1]`
`regex.icontains`	regex	`ma[il1]{2}box.*[il1]{2}mit`
`regex.icontains`	regex	`ma[il1]{2}box stor`
`regex.icontains`	regex	`mail on.?hold`
`regex.icontains`	regex	`mail.box.migration`
`regex.icontains`	regex	`mail.*de-?activat`
`regex.icontains`	regex	`mail.update.required`
`regex.icontains`	regex	`mails.*pending`
`regex.icontains`	regex	`messages.*pending`
`regex.icontains`	regex	`missed.shipping.notification`
`regex.icontains`	regex	`missed.shipment.notification`
`regex.icontains`	regex	`must.update.your.account`
`regex.icontains`	regex	`new [sl][io]g?[nig][ -]?in from`
`regex.icontains`	regex	`new voice ?-?mail`
`regex.icontains`	regex	`notifications.*pending`
`regex.icontains`	regex	`office.3.6.5.suspend`
`regex.icontains`	regex	`office365`
`regex.icontains`	regex	`on google docs with you`
`regex.icontains`	regex	`online doc`
`regex.icontains`	regex	`password.*compromised`
`regex.icontains`	regex	`(?:payroll\|salary\|bonus).*Distribution`
`regex.icontains`	regex	`periodic maintenance`
`regex.icontains`	regex	`potential(ly)? unauthorized`
`regex.icontains`	regex	`refund not approved`
`regex.icontains`	regex	`report`
`regex.icontains`	regex	`revised.*policy`
`regex.icontains`	regex	`scam`
`regex.icontains`	regex	`scanned.?invoice`
`regex.icontains`	regex	`secured?.update`
`regex.icontains`	regex	`security breach`
`regex.icontains`	regex	`securlty`
`regex.icontains`	regex	`signed.*delivery`
`regex.icontains`	regex	`status of your .{314}? ?delivery`
`regex.icontains`	regex	`susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty`
`regex.icontains`	regex	`suspicious.sign.[io]n`
`regex.icontains`	regex	`suspicious.activit`
`regex.icontains`	regex	`temporar(il)?y deactivate`
`regex.icontains`	regex	`temporar[il1]{2}y disab[li]ed`
`regex.icontains`	regex	`temporarily.*lock`
`regex.icontains`	regex	`un-?usua[li].activity`
`regex.icontains`	regex	`unable.*deliver`
`regex.icontains`	regex	`unauthorized.*activit`
`regex.icontains`	regex	`unauthorized.device`
`regex.icontains`	regex	`undelivered message`
`regex.icontains`	regex	`unread.*doc`
`regex.icontains`	regex	`unusual.activity`
`regex.icontains`	regex	`(?:unrecognized\|Unusual\|suspicious\|unknown) (?:log\|sign).?[io]n attempt`
`regex.icontains`	regex	`upgrade.*account`
`regex.icontains`	regex	`upgrade.notice`
`regex.icontains`	regex	`urgent message`
`regex.icontains`	regex	`urgent.verification`
`regex.icontains`	regex	`v[il1]o[li1]at[il1]on security`
`regex.icontains`	regex	`va[il1]{1}date.*ma[il1]{2}[ -]?box`
`regex.icontains`	regex	`verification ?-?require`
`regex.icontains`	regex	`verification( )?-?need`
`regex.icontains`	regex	`verify.your?.account`
`regex.icontains`	regex	`web ?-?ma[il1]{2}`
`regex.icontains`	regex	`web[ -]?ma[il1]{2}`
`regex.icontains`	regex	`will.be.suspended`
`regex.icontains`	regex	`your (customer )?account .as`
`regex.icontains`	regex	`your.office.365`
`regex.icontains`	regex	`your.online.access`
`regex.icontains`	regex	`de.activation`
`regex.icontains`	regex	`attn_task`
`regex.icontains`	regex	`account has been limited`
`regex.icontains`	regex	`action required`
`regex.icontains`	regex	`almost full`
`regex.icontains`	regex	`apd notifi cation`
`regex.icontains`	regex	`are you at your desk`
`regex.icontains`	regex	`are you available`
`regex.icontains`	regex	`attached file to docusign`
`regex.icontains`	regex	`banking is temporarily unavailable`
`regex.icontains`	regex	`bankofamerica`
`regex.icontains`	regex	`closing statement invoice`
`regex.icontains`	regex	`completed: docusign`
`regex.icontains`	regex	`de-activation of`
`regex.icontains`	regex	`delivery attempt`
`regex.icontains`	regex	`delivery stopped for shipment`
`regex.icontains`	regex	`detected suspicious`
`regex.icontains`	regex	`detected suspicious actvity`
`regex.icontains`	regex	`docu sign`
`regex.icontains`	regex	`document for you`
`regex.icontains`	regex	`document has been sent to you via docusign`
`regex.icontains`	regex	`document is ready for signature`
`regex.icontains`	regex	`docusign`
`regex.icontains`	regex	`encrypted message`
`regex.icontains`	regex	`failed delivery`
`regex.icontains`	regex	`fedex tracking`
`regex.icontains`	regex	`file was shared`
`regex.icontains`	regex	`freefax`
`regex.icontains`	regex	`fwd: due invoice paid`
`regex.icontains`	regex	`has shared`
`regex.icontains`	regex	`inbox is full`
`regex.icontains`	regex	`invitation to comment`
`regex.icontains`	regex	`invitation to edit`
`regex.icontains`	regex	`invoice due`
`regex.icontains`	regex	`left you a message`
`regex.icontains`	regex	`message from`
`regex.icontains`	regex	`new message`
`regex.icontains`	regex	`new voicemail`
`regex.icontains`	regex	`on desk`
`regex.icontains`	regex	`out of space`
`regex.icontains`	regex	`password reset`
`regex.icontains`	regex	`payment status`
`regex.icontains`	regex	`pay notification`
`regex.icontains`	regex	`quick reply`
`regex.icontains`	regex	`re: w-2`
`regex.icontains`	regex	`required`
`regex.icontains`	regex	`required: completed docusign`
`regex.icontains`	regex	`remittance`
`regex.icontains`	regex	`ringcentral`
`regex.icontains`	regex	`scanned image`
`regex.icontains`	regex	`secured files`
`regex.icontains`	regex	`secured pdf`
`regex.icontains`	regex	`security alert`
`regex.icontains`	regex	`new sign-in`
`regex.icontains`	regex	`new sign in`
`regex.icontains`	regex	`sign-in attempt`
`regex.icontains`	regex	`sign in attempt`
`regex.icontains`	regex	`staff review`
`regex.icontains`	regex	`suspicious activity`
`regex.icontains`	regex	`unrecognized login attempt`
`regex.icontains`	regex	`unusual signin`
`regex.icontains`	regex	`upgrade immediately`
`regex.icontains`	regex	`urgent`
`regex.icontains`	regex	`wants to share`
`regex.icontains`	regex	`w2`
`regex.icontains`	regex	`you have notifications pending`
`regex.icontains`	regex	`your account`
`regex.icontains`	regex	`your amazon order`
`regex.icontains`	regex	`your document settlement`
`regex.icontains`	regex	`your order with amazon`
`regex.icontains`	regex	`your password has been compromised`
`regex.icontains`	regex	`account.has.been`
`regex.icontains`	regex	`account.has.been.*created`
`regex.icontains`	regex	`Admin`
`regex.icontains`	regex	`Administrator`
`regex.icontains`	regex	`Alert`
`regex.icontains`	regex	`Assistant`
`regex.icontains`	regex	`Authenticat(or\|ion)`
`regex.icontains`	regex	`Billing`
`regex.icontains`	regex	`Benefits`
`regex.icontains`	regex	`Bonus`
`regex.icontains`	regex	`CEO`
`regex.icontains`	regex	`CFO`
`regex.icontains`	regex	`CIO`
`regex.icontains`	regex	`CTO`
`regex.icontains`	regex	`Chairman`
`regex.icontains`	regex	`Claim`
`regex.icontains`	regex	`Confirm`
`regex.icontains`	regex	`Cpanel Mail`
`regex.icontains`	regex	`Critical`
`regex.icontains`	regex	`Customer Service`
`regex.icontains`	regex	`Deal`
`regex.icontains`	regex	`Discount`
`regex.icontains`	regex	`Director`
`regex.icontains`	regex	`Exclusive`
`regex.icontains`	regex	`Executive`
`regex.icontains`	regex	`Fax`
`regex.icontains`	regex	`Free`
`regex.icontains`	regex	`Gift`
`regex.icontains`	regex	`\bHR\b`
`regex.icontains`	regex	`Helpdesk`
`regex.icontains`	regex	`Human Resources`
`regex.icontains`	regex	`Immediate`
`regex.icontains`	regex	`Important`
`regex.icontains`	regex	`Info`
`regex.icontains`	regex	`Information`
`regex.icontains`	regex	`Invoice`
`regex.icontains`	regex	`\bIT\b`
`regex.icontains`	regex	`\bLegal\b`
`regex.icontains`	regex	`Lottery`
`regex.icontains`	regex	`Management`
`regex.icontains`	regex	`Manager`
`regex.icontains`	regex	`Member Services`
`regex.icontains`	regex	`Notification`
`regex.icontains`	regex	`Offer`
`regex.icontains`	regex	`Official Communication`
`regex.icontains`	regex	`Operations`
`regex.icontains`	regex	`Order`
`regex.icontains`	regex	`Partner`
`regex.icontains`	regex	`Payment`
`regex.icontains`	regex	`Payroll`
`regex.icontains`	regex	`Postmaster`
`regex.icontains`	regex	`President`
`regex.icontains`	regex	`Premium`
`regex.icontains`	regex	`Prize`
`regex.icontains`	regex	`Receipt`
`regex.icontains`	regex	`Refund`
`regex.icontains`	regex	`Registrar`
`regex.icontains`	regex	`Required`
`regex.icontains`	regex	`Reward`
`regex.icontains`	regex	`Sales`
`regex.icontains`	regex	`Secretary`
`regex.icontains`	regex	`Security`
`regex.icontains`	regex	`Server`
`regex.icontains`	regex	`Service`
`regex.icontains`	regex	`Storage`
`regex.icontains`	regex	`Support`
`regex.icontains`	regex	`Sweepstakes`
`regex.icontains`	regex	`System`
`regex.icontains`	regex	`Tax`
`regex.icontains`	regex	`Tech Support`
`regex.icontains`	regex	`Update`
`regex.icontains`	regex	`Upgrade`
`regex.icontains`	regex	`Urgent`
`regex.icontains`	regex	`Validate`
`regex.icontains`	regex	`Verify`
`regex.icontains`	regex	`VIP`
`regex.icontains`	regex	`Webmaster`
`regex.icontains`	regex	`Winner`
`regex.icontains`	regex	`DocReq\\b`
`strings.icontains`	substring	`service bulletin`
`strings.icontains`	substring	`automotive service`
`ml.nlu_classifier(body.current_thread.text).intents[].name`	equals	`cred_theft`
`ml.nlu_classifier(body.current_thread.text).intents[].confidence`	member	`medium`
`ml.nlu_classifier(body.current_thread.text).intents[].confidence`	member	`high`
`ml.nlu_classifier(body.current_thread.text).entities[].name`	equals	`request`
`body.links[].href_url.domain.domain`	member	`aka.ms`
`body.links[].href_url.domain.domain`	member	`mimecast.com`
`body.links[].href_url.domain.domain`	member	`mimecastprotect.com`
`body.links[].href_url.domain.domain`	member	`cisco.com`
`ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].name`	equals	`cred_theft`
`ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].confidence`	equals	`high`
`strings.contains`	substring	`Your mailbox can no longer send or receive messages.`
`strings.icontains`	substring	`redirect`
`strings.icontains`	substring	`open_redirect`
`ml.nlu_classifier(body.current_thread.text).entities[].name`	equals	`urgency`
`ml.nlu_classifier(body.links[].display_text).entities[].name`	equals	`request`
`regex.match`	regex	`^[^a-z]+$`
`body.links[].href_url.domain.root_domain`	member	`mimecast.com`
`body.links[].href_url.domain.root_domain`	member	`mimecastprotect.com`
`strings.ilike`	substring	`click here`
`strings.ilike`	substring	`password`
`attachments[].content_type`	member	`text/calendar`
`attachments[].content_type`	member	`application/ics`
`strings.istarts_with`	prefix	`RE:`
`strings.istarts_with`	prefix	`R:`
`strings.istarts_with`	prefix	`ODG:`
`strings.istarts_with`	prefix	`答复:`
`strings.istarts_with`	prefix	`AW:`
`strings.istarts_with`	prefix	`TR:`
`strings.istarts_with`	prefix	`FWD:`
`regex.icontains`	regex	`^(\[[^\]]+\]\s?){0,3}(re\|fwd?)\s?:`
`strings.like`	substring	`postmaster`
`strings.like`	substring	`mailer-daemon`
`strings.like`	substring	`administrator`
`attachments[].content_type`	member	`message/rfc822`
`attachments[].content_type`	member	`message/delivery-status`
`attachments[].content_type`	member	`application/gzip`
`regex.icontains`	regex	`(?:(Report\sDomain).(Submitter).(Report-ID))`
`beta.ml_topic(body.current_thread.text).topics[].name`	member	`Advertising and Promotions`
`beta.ml_topic(body.current_thread.text).topics[].name`	member	`Political Mail`
`beta.ml_topic(body.current_thread.text).topics[].name`	member	`News and Current Events`
`beta.ml_topic(body.current_thread.text).topics[].name`	member	`Newsletters and Digests`
`beta.ml_topic(body.current_thread.text).topics[].confidence`	equals	`high`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)