Attachment: Fake attachment image lure

Message (or attached message) contains an image impersonating an Outlook attachment button.

Sublime rule (View on GitHub)

  1name: "Attachment: Fake attachment image lure"
  2description: | 
  3  Message (or attached message) contains an image impersonating an Outlook attachment button.
  4type: "rule"
  5severity: "medium"
  6source: |
  7  type.inbound
  8  and length(attachments) < 15
  9  and (
 10    // fake file attachment preview in original email
 11    any(attachments,
 12        .file_type in $file_types_images
 13        and (
 14          any(ml.logo_detect(.).brands,
 15              .name == "FakeAttachment" and .confidence == "high"
 16          )
 17          or (
 18            .size < 30000
 19            and any(file.explode(.),
 20                    strings.icontains(.scan.ocr.raw, 'sent you')
 21                    // the attached image includes a filesize string
 22                    and regex.icontains(.scan.ocr.raw,
 23                                        '\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
 24                    )
 25            )
 26          )
 27        )
 28    )
 29    // message body/screenhot
 30    or any(ml.logo_detect(beta.message_screenshot()).brands,
 31           .name == "FakeAttachment" and .confidence == "high"
 32    )
 33    
 34    // Suspicious table with file size indicators 
 35    or regex.contains(body.html.raw,
 36                      "<table[^>]*>.*?<img[^>]+src=[\"']cid:[^\"']+[\"'][^>]*>.*?\\.(pdf|doc(x)|xls(x)?).*?<font[^>]*>\\s*\\d{1,4}\\.\\d{1,2}\\s*k[bB]"
 37    )
 38  
 39    // fake file attachment preview in attached EML
 40    or any(attachments,
 41           (.content_type == "message/rfc822" or .file_extension == "eml")
 42           and any(file.parse_eml(.).attachments,
 43                   .file_type in $file_types_images
 44                   and (
 45                     any(ml.logo_detect(.).brands, .name == "FakeAttachment")
 46                     or (
 47                       .size < 30000
 48                       and any(file.explode(.),
 49                               strings.icontains(.scan.ocr.raw, 'sent you')
 50                               // the attached image includes a filesize string
 51                               and regex.icontains(.scan.ocr.raw,
 52                                                   '\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
 53                               )
 54                       )
 55                     )
 56                   )
 57           )
 58    )
 59  )
 60  and not (
 61    (
 62      strings.istarts_with(subject.subject, "RE:")
 63      or strings.istarts_with(subject.subject, "R:")
 64      or strings.istarts_with(subject.subject, "ODG:")
 65      or strings.istarts_with(subject.subject, "答复:")
 66      or strings.istarts_with(subject.subject, "AW:")
 67      or strings.istarts_with(subject.subject, "TR:")
 68      or strings.istarts_with(subject.subject, "FWD:")
 69      or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
 70      or regex.imatch(subject.subject,
 71                      '^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
 72      )
 73    )
 74    and (
 75      length(headers.references) > 0
 76      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
 77    )
 78  )
 79  // negate highly trusted sender domains unless they fail DMARC authentication
 80  and (
 81    (
 82      sender.email.domain.root_domain in $high_trust_sender_root_domains
 83      and not headers.auth_summary.dmarc.pass
 84    )
 85    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 86  )
 87  and (
 88    sender.email.domain.root_domain not in ("sharepointonline.com")
 89    or not headers.auth_summary.dmarc.pass
 90  )  
 91tags:
 92  - "Suspicious attachment"
 93  - "Suspicious content"
 94attack_types:
 95  - "Credential Phishing"
 96  - "Malware/Ransomware"
 97tactics_and_techniques:
 98  - "Evasion"
 99  - "Image as content"
100  - "Social engineering"
101detection_methods:
102  - "File analysis"
103  - "Natural Language Understanding"
104  - "Optical Character Recognition"
105id: "96b8b285-2116-5e45-b0ca-57b81dc87b94"

Related rules

to-top