Credential Phishing: Image as content, short or no body contents
This rule identifies incoming messages with minimal links, all image attachments and either empty, brief or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition to high-confidence credit theft intentions.
Sublime rule (View on GitHub)
1name: "Credential Phishing: Image as content, short or no body contents"
2description: |
3 This rule identifies incoming messages with minimal links, all image attachments and either empty, brief
4 or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition
5 to high-confidence credit theft intentions.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and length(body.links) < 2
11 and 0 < (length(attachments)) < 3
12 and (
13 // body text is very short
14 (
15 0 <= (length(body.current_thread.text)) < 10 or body.current_thread.text is null
16 )
17 or (
18 length(body.current_thread.text) < 900
19 // or body is most likely all warning banner (text contains the sender and common warning banner language)
20 and (
21 (
22 strings.contains(body.current_thread.text, sender.email.email)
23 and strings.contains(body.current_thread.text, 'caution')
24 )
25 or regex.icontains(body.current_thread.text,
26 "intended recipient's use only|external email|sent from outside|you don't often"
27 )
28 )
29 )
30 )
31 and (
32 all(attachments,
33 (.file_type in $file_types_images)
34 and (
35 any(file.explode(.),
36 any(.scan.exiftool.fields, .value == "Truncated PNG image")
37 or (
38 any(ml.logo_detect(..).brands, .name is not null)
39 and any(ml.nlu_classifier(.scan.ocr.raw).intents,
40 .name == "cred_theft" and .confidence == "high"
41 )
42 )
43 )
44 )
45 )
46 )
47attack_types:
48 - "Credential Phishing"
49tactics_and_techniques:
50 - "Evasion"
51 - "Image as content"
52detection_methods:
53 - "Computer Vision"
54 - "Content analysis"
55 - "File analysis"
56 - "Header analysis"
57 - "Natural Language Understanding"
58 - "Optical Character Recognition"
59id: "01313f38-d0d1-5240-b407-8f9158639277"