Credential Phishing: Image as content, short or no body contents

calendar Sep 8, 2023  ·
Share on: linkedin copy

This rule identifies incoming messages with minimal links, all image attachments and either empty, brief or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition to high-confidence credit theft intentions.

Sublime rule (View on GitHub)

 1name: "Credential Phishing: Image as content, short or no body contents"
 2description: |
 3  This rule identifies incoming messages with minimal links, all image attachments and either empty, brief
 4  or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition
 5  to high-confidence credit theft intentions.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and length(body.links) < 2
11  and 0 < (length(attachments)) < 3
12  and (
13    // body text is very short
14    (
15      0 <= (length(body.current_thread.text)) < 10 or body.current_thread.text is null
16    )
17    or (
18      length(body.current_thread.text) < 900
19      // or body is most likely all warning banner (text contains the sender and common warning banner language)
20      and (
21        (
22          strings.contains(body.current_thread.text, sender.email.email)
23          and strings.contains(body.current_thread.text, 'caution')
24        )
25        or regex.icontains(body.current_thread.text,
26                           "intended recipient's use only|external email|sent from outside|you don't often"
27        )
28      )
29    )
30  )
31  and (
32    all(attachments,
33        (.file_type in $file_types_images)
34        and (
35          any(file.explode(.),
36              any(.scan.exiftool.fields, .value == "Truncated PNG image")
37              or (
38                any(ml.logo_detect(..).brands, .name is not null)
39                and any(ml.nlu_classifier(.scan.ocr.raw).intents,
40                        .name == "cred_theft" and .confidence == "high"
41                )
42              )
43          )
44        )
45    )
46  )  
47attack_types:
48  - "Credential Phishing"
49tactics_and_techniques:
50  - "Evasion"
51  - "Image as content"
52detection_methods:
53  - "Computer Vision"
54  - "Content analysis"
55  - "File analysis"
56  - "Header analysis"
57  - "Natural Language Understanding"
58  - "Optical Character Recognition"
59id: "01313f38-d0d1-5240-b407-8f9158639277"
to-top