Attachment: EML with Suspicious Indicators

calendar Nov 19, 2024  ·
Share on: linkedin copy

Attached EML contains suspicious indicators, such as a missing sender email or short HTML body.

Sublime rule (View on GitHub)

 1name: "Attachment: EML with Suspicious Indicators"
 2description: "Attached EML contains suspicious indicators, such as a missing sender email or short HTML body."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) == 1
 8  and (
 9    length(body.current_thread.text) < 300
10    or body.current_thread.text is null
11    or any(ml.nlu_classifier(body.current_thread.text).intents,
12           .name in ("cred_theft", "steal_pii")
13    )
14  )
15  and not any(ml.nlu_classifier(body.current_thread.text).intents,
16          .name == "benign" and .confidence == "high"
17  )
18  and any(attachments,
19          (.file_extension == "eml" or .content_type == "message/rfc822")
20          and (
21            // suspicious indicators
22            file.parse_eml(.).sender.email.email == ""
23            or length(file.parse_eml(.).body.html.raw) < 10
24            or length(file.parse_eml(.).headers.hops) < 2
25          )
26          and not (
27            all(file.parse_eml(.).body.links,
28                .href_url.domain.root_domain in ("aka.ms", "office365.com")
29                or .href_url.url == "#additionalatt"
30            )
31            and strings.icontains(file.parse_eml(.).body.current_thread.text,
32                                  "We’re making sure your attachments are safe"
33            )
34          )
35          and file.parse_eml(.).sender.email.domain.root_domain not in $org_domains
36  )
37  and (
38    not profile.by_sender().solicited
39    or (
40      profile.by_sender().any_messages_malicious_or_spam
41      and not profile.by_sender().any_false_positives
42    )
43  )
44  
45  // negate highly trusted sender domains unless they fail DMARC authentication
46  and (
47    (
48      sender.email.domain.root_domain in $high_trust_sender_root_domains
49      and not headers.auth_summary.dmarc.pass
50    )
51    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52  )  
53
54attack_types:
55  - "Credential Phishing"
56tactics_and_techniques:
57  - "Evasion"
58  - "HTML smuggling"
59  - "Social engineering"
60detection_methods:
61  - "Content analysis"
62  - "File analysis"
63id: "deb5d08d-92b7-5f7b-a7b0-e5053221c2f5"
to-top