1+ name : " Extortion / sextortion (untrusted sender)"
2+ description : |
3+ Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender.
4+ references :
5+ - " https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/"
6+ type : " rule"
7+ severity : " low"
8+ source : |
9+ type.inbound
10+ and length(filter(body.links, .display_text is not null)) < 10
11+ and not (
12+ ml.nlu_classifier(body.current_thread.text).language == "english"
13+ and any(ml.nlu_classifier(body.html.display_text).topics,
14+ .name in (
15+ "News and Current Events",
16+ "Newsletters and Digests",
17+ "Advertising and Promotions"
18+ )
19+ and .confidence in ("high", "medium")
20+ )
21+ )
22+ and (
23+ (
24+ any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text)).intents,
25+ (.name == "extortion" and .confidence != "low")
26+ )
27+ and (
28+ any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text
29+ )
30+ ).entities,
31+ .name == "financial"
32+ or (
33+ .name is not null
34+ and regex.icontains(.text,
35+ "cybḛ[rŗřṙȑȓɍʀɼɽг]c[rŗřṙȑȓɍʀɼɽг]imina[lĺļľḷḹḽłƖʟḻ]s"
36+ )
37+ )
38+ )
39+ or any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text
40+ )
41+ ).topics,
42+ .name == "Financial Communications" and .confidence != "low"
43+ )
44+ )
45+ )
46+ // manual indicators failsafe
47+ or 3 of (
48+ // malware terms
49+ regex.icontains(strings.replace_confusables(body.current_thread.text),
50+ "(?:(?:spy|[mṁ][aȁ]l)[wŵ][aȁ][rŗ]e|[tŢ][rŗȓ][oố]j[aǻ][nņ]|[rȓ]emote (?:entry|cont[rř]o[lĺ])|infiltrat(?:ed|ion)|backdoor|vi[rṙ]us|intruder|(?:your|the).{0,15}(?:device|system|computer|phone).{0,10}(?:became|was|got|is).{0,5}comprom[ḯiïíįī]sed|prov[ḯiïíįī]d[ḯiïíįī]ng.{0,20}full [aảǡą]ccess)"
51+ ),
52+ // actions recorded
53+ regex.icontains(strings.replace_confusables(body.current_thread.text),
54+ "(?:p[oộ][rŗ]n|a[dȡ]ult (?:web)?site|webcam|mastu[rŗ]bating|je[rŗ]king off|pleasu[rŗȑ]i[nŋ]g you[rŗṛ]self|getting off|expli[cƈ]it|cl[ḯiïíįī]ps.{0,20}screenshots)"
55+ ),
56+ regex.icontains(strings.replace_confusables(body.current_thread.text),
57+ "(?:pe[rŗ]ve[rŗ]t|pe[rŗ]ve[rŗ]sion|mastu[rŗ]bat)"
58+ ),
59+ // a timeframe to pay
60+ regex.icontains(strings.replace_confusables(body.current_thread.text),
61+ '[ilo0-9]{2} (?:hou[rŗṝ][sṣ]|uu[rŗ])',
62+ '(?:one|tw[oờ]|2|th[rŗ]ee|\d) [dḍ][aảǡą]y[sṣ]?'
63+ ),
64+ // a promise from the actor
65+ regex.icontains(strings.replace_confusables(body.current_thread.text),
66+ '(?:pe[rŗ]manently|will|I''ll) delete|([rŗ]emove|destroy) (?:[\p{L}\p{M}\p{N}]+\s*){0,4} (?:data|ev[ḯiïįīí]dence|v[ḯiïíįī]deos?)'
67+ ),
68+ // a threat from the actor
69+ regex.icontains(strings.replace_confusables(body.current_thread.text),
70+ '(?:\bsen[dt]|forward|expose)\s*(?:[\p{L}\p{N}]+\s*){0,5}\s*to\s*(?:[\p{L}\p{N}]+\s*){0,5}(?:contacts|media|family|f[rŗ]iends|coworkers|associates)'
71+ ),
72+ // bitcoin language (excluding newsletters)
73+ (
74+ regex.icontains(strings.replace_confusables(body.current_thread.text),
75+ '[bḆḂ]it[cĉƈ][oöة]+in|\bbtc\b|blockchain'
76+ )
77+ // negate cryptocurrency newsletters
78+ and not (
79+ any(body.links,
80+ strings.icontains(.display_text, "unsubscribe")
81+ and (
82+ strings.icontains(.href_url.path, "unsubscribe")
83+ // handle mimecast URL rewrites
84+ or (
85+ .href_url.domain.root_domain == 'mimecastprotect.com'
86+ and strings.icontains(.href_url.query_params,
87+ sender.email.domain.root_domain
88+ )
89+ )
90+ )
91+ )
92+ )
93+ ),
94+ (
95+ regex.icontains(strings.replace_confusables(body.current_thread.text),
96+ '(?:contact the police|(?:bitcoin|\bbtc\b).{0,20}wallet)'
97+ )
98+ and regex.icontains(strings.replace_confusables(body.current_thread.text),
99+ '(?:\b[13][a-km-zA-HJ-NP-Z0-9]{24,34}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(?:0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b'
100+ )
101+ ),
102+ regex.icontains(strings.replace_confusables(body.current_thread.text),
103+ 'bc1q.{0,50}\b'
104+ )
105+ )
106+ )
107+ and (
108+ not profile.by_sender().solicited
109+ or (
110+ profile.by_sender().any_messages_malicious_or_spam
111+ and not profile.by_sender().any_messages_benign
112+ )
113+ or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
114+
115+ // many extortion emails spoof sender domains and fail sender authentication
116+ or (
117+ not headers.auth_summary.dmarc.pass
118+ or headers.auth_summary.dmarc.pass is null
119+ or not headers.auth_summary.spf.pass
120+ )
121+ )
122+
123+ // negate benign newsletters that mention cyber extortion
124+ and not (
125+ any(body.links,
126+ strings.icontains(.display_text, "unsubscribe")
127+ and strings.icontains(.href_url.path, "unsubscribe")
128+ )
129+ // newsletters are typically longer than the average extortion script
130+ and length(body.current_thread.text) > 2000
131+ )
132+ and length(body.current_thread.text) < 8000
133+ // negate highly trusted sender domains unless they fail DMARC authentication
134+ and (
135+ (
136+ sender.email.domain.root_domain in $high_trust_sender_root_domains
137+ and not headers.auth_summary.dmarc.pass
138+ )
139+ or sender.email.domain.root_domain not in $high_trust_sender_root_domains
140+ )
141+
142+ attack_types :
143+ - " Extortion"
144+ tactics_and_techniques :
145+ - " Social engineering"
146+ - " Spoofing"
147+ detection_methods :
148+ - " Content analysis"
149+ - " Header analysis"
150+ - " Natural Language Understanding"
151+ - " Sender analysis"
152+ id : " f96a8612-c76d-52b3-8d40-af91a82b83d5"
153+ og_id : " 265913eb-2ccd-5f77-9a09-f6d8539fd2f6"
154+ testing_pr : 3441
155+ testing_sha : be00577766620181880493edc8559726bcd4db15
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments