Attachment: Dropbox image lure with no Dropbox domains in links

 1name: "Attachment: Dropbox image lure with no Dropbox domains in links"
 2description: "Detects Dropbox phishing emails with no Dropbox links with image attachments from an untrusted sender."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(filter(attachments, .file_type not in $file_types_images)) == 0
 8  and any(body.links,
 9          not strings.ilike(.href_url.domain.root_domain, "dropbox.*")
10  )
11  and any(attachments,
12          .file_type in $file_types_images
13          and any(file.explode(.),
14                  strings.ilike(.scan.ocr.raw, "*dropbox*")
15                  and strings.ilike(.scan.ocr.raw, "*review*", "*sign*")
16          )
17  )
18  and (
19    not profile.by_sender().solicited
20    or profile.by_sender().any_messages_malicious_or_spam
21  )
22  and not profile.by_sender().any_false_positives   
23attack_types:
24  - "Credential Phishing"
25tactics_and_techniques:
26  - "Impersonation: Brand"
27  - "Social engineering"
28detection_methods:
29  - "Content analysis"
30  - "File analysis"
31  - "Header analysis"
32  - "Optical Character Recognition"
33  - "Sender analysis"
34id: "500eee2d-d793-5450-a87f-825ce27c897d"