Attachment: Fake attachment image lure

Jul 19, 2024 · Suspicious attachment Suspicious content ·
Message (or attached message) contains an image impersonating an Outlook attachment button.
Sublime rule (View on GitHub)

 1name: "Attachment: Fake attachment image lure"
 2description: | 
 3  Message (or attached message) contains an image impersonating an Outlook attachment button.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    // fake file attachment preview in original email
10    any(attachments,
11        .file_type in $file_types_images
12        and (
13          any(ml.logo_detect(.).brands, .name == "FakeAttachment")
14          or (
15            .size < 30000
16            and any(file.explode(.),
17                    strings.icontains(.scan.ocr.raw, 'sent you')
18                    // the attached image includes a filesize string
19                    and regex.icontains(.scan.ocr.raw,
20                                        '\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
21                    )
22            )
23          )
24        )
25    )
26    // fake file attachment preview in attached EML
27    or any(attachments,
28           (.content_type == "message/rfc822" or .file_extension == "eml")
29           and any(file.parse_eml(.).attachments,
30                   .file_type in $file_types_images
31                   and (
32                     any(ml.logo_detect(.).brands, .name == "FakeAttachment")
33                     or (
34                       .size < 30000
35                       and any(file.explode(.),
36                               strings.icontains(.scan.ocr.raw, 'sent you')
37                               // the attached image includes a filesize string
38                               and regex.icontains(.scan.ocr.raw,
39                                                   '\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
40                               )
41                       )
42                     )
43                   )
44           )
45    )
46  )
47  
48  // negate highly trusted sender domains unless they fail DMARC authentication
49  and (
50    (
51      sender.email.domain.root_domain in $high_trust_sender_root_domains
52      and not headers.auth_summary.dmarc.pass
53    )
54    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
55  )
56  and (
57    not profile.by_sender().solicited
58    or profile.by_sender().any_messages_malicious_or_spam
59  )  
60tags:
61  - "Suspicious attachment"
62  - "Suspicious content"
63attack_types:
64  - "Credential Phishing"
65  - "Malware/Ransomware"
66tactics_and_techniques:
67  - "Evasion"
68  - "Image as content"
69  - "Social engineering"
70detection_methods:
71  - "File analysis"
72  - "Natural Language Understanding"
73  - "Optical Character Recognition"
74id: "96b8b285-2116-5e45-b0ca-57b81dc87b94"
Related rules

Attachment: .csproj with suspicious commands