
Summary
This detection rule targets email messages with particular characteristics that indicate potential credential theft attempts. It appears to focus on scenarios where incoming messages contain undisclosed recipients (in particular, emails sent to BCC lists), which can be a common tactic used in phishing campaigns to mask the actual recipients. The rule assesses if there are any recipients listed in the 'To', 'CC', or 'BCC' fields and identifies when all recipients are undisclosed. Additionally, the rule analyzes links present in the email body and checks against a list of known reputable domains (via $tranco_1m) to spot links belonging to low reputation domains, which is indicative of a phishing attempt. The analysis incorporates Natural Language Understanding (NLU) to identify intents in the message body; specifically, it seeks to pinpoint messages that signal credential theft with medium to high confidence. Techniques such as content analysis, header analysis, and regex matching on link display text augment the detection system's ability to capture and flag these suspicious emails effectively.
Categories
- Web
- Identity Management
- Cloud
Data Sources
- User Account
- Application Log
- Network Traffic
Created: 2023-05-25