Attachment: Fake attachment image lure

 1name: "Attachment: Fake attachment image lure"
 2description: | 
 3  Message (or attached message) contains an image impersonating an Outlook attachment button.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and length(attachments) < 8
 9  and (
10    // fake file attachment preview in original email
11    any(attachments,
12        .file_type in $file_types_images
13        and (
14          any(ml.logo_detect(.).brands, .name == "FakeAttachment")
15          or (
16            .size < 30000
17            and any(file.explode(.),
18                    strings.icontains(.scan.ocr.raw, 'sent you')
19                    // the attached image includes a filesize string
20                    and regex.icontains(.scan.ocr.raw,
21                                        '\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
22                    )
23            )
24          )
25        )
26    )
27    // fake file attachment preview in attached EML
28    or any(attachments,
29           (.content_type == "message/rfc822" or .file_extension == "eml")
30           and any(file.parse_eml(.).attachments,
31                   .file_type in $file_types_images
32                   and (
33                     any(ml.logo_detect(.).brands, .name == "FakeAttachment")
34                     or (
35                       .size < 30000
36                       and any(file.explode(.),
37                               strings.icontains(.scan.ocr.raw, 'sent you')
38                               // the attached image includes a filesize string
39                               and regex.icontains(.scan.ocr.raw,
40                                                   '\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
41                               )
42                       )
43                     )
44                   )
45           )
46    )
47  )
48  and not (
49    (
50      strings.istarts_with(subject.subject, "RE:")
51      or strings.istarts_with(subject.subject, "R:")
52      or strings.istarts_with(subject.subject, "ODG:")
53      or strings.istarts_with(subject.subject, "答复:")
54      or strings.istarts_with(subject.subject, "AW:")
55      or strings.istarts_with(subject.subject, "TR:")
56      or strings.istarts_with(subject.subject, "FWD:")
57      or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
58    )
59    and (
60      length(headers.references) > 0
61      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
62    )
63  )
64  // negate highly trusted sender domains unless they fail DMARC authentication
65  and (
66    (
67      sender.email.domain.root_domain in $high_trust_sender_root_domains
68      and not headers.auth_summary.dmarc.pass
69    )
70    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
71  )  
72tags:
73  - "Suspicious attachment"
74  - "Suspicious content"
75attack_types:
76  - "Credential Phishing"
77  - "Malware/Ransomware"
78tactics_and_techniques:
79  - "Evasion"
80  - "Image as content"
81  - "Social engineering"
82detection_methods:
83  - "File analysis"
84  - "Natural Language Understanding"
85  - "Optical Character Recognition"
86id: "96b8b285-2116-5e45-b0ca-57b81dc87b94"