Attachment: Fake attachment image lure
Message (or attached message) contains an image impersonating an Outlook attachment button.
Sublime rule (View on GitHub)
1name: "Attachment: Fake attachment image lure"
2description: |
3 Message (or attached message) contains an image impersonating an Outlook attachment button.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and length(attachments) < 15
9 and (
10 // fake file attachment preview in original email
11 any(attachments,
12 .file_type in $file_types_images
13 and (
14 any(ml.logo_detect(.).brands,
15 .name == "FakeAttachment" and .confidence == "high"
16 )
17 or (
18 .size < 30000
19 and any(file.explode(.),
20 strings.icontains(.scan.ocr.raw, 'sent you')
21 // the attached image includes a filesize string
22 and regex.icontains(.scan.ocr.raw,
23 '\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
24 )
25 )
26 )
27 )
28 )
29 // message body/screenhot
30 or any(ml.logo_detect(file.message_screenshot()).brands,
31 .name == "FakeAttachment" and .confidence == "high"
32 )
33
34 // Suspicious table with file size indicators
35 or regex.contains(body.html.raw,
36 "<table[^>]*>.*?<img[^>]+src=[\"']cid:[^\"']+[\"'][^>]*>.*?\\.(pdf|doc(x)|xls(x)?).*?<font[^>]*>\\s*\\d{1,4}\\.\\d{1,2}\\s*k[bB]"
37 )
38
39 // fake file attachment preview in attached EML
40 or any(attachments,
41 (.content_type == "message/rfc822" or .file_extension == "eml")
42 and any(file.parse_eml(.).attachments,
43 .file_type in $file_types_images
44 and (
45 any(ml.logo_detect(.).brands, .name == "FakeAttachment")
46 or (
47 .size < 30000
48 and any(file.explode(.),
49 strings.icontains(.scan.ocr.raw, 'sent you')
50 // the attached image includes a filesize string
51 and regex.icontains(.scan.ocr.raw,
52 '\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
53 )
54 )
55 )
56 )
57 )
58 )
59 )
60 and not (
61 (
62 strings.istarts_with(subject.subject, "RE:")
63 or strings.istarts_with(subject.subject, "R:")
64 or strings.istarts_with(subject.subject, "ODG:")
65 or strings.istarts_with(subject.subject, "答复:")
66 or strings.istarts_with(subject.subject, "AW:")
67 or strings.istarts_with(subject.subject, "TR:")
68 or strings.istarts_with(subject.subject, "FWD:")
69 or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
70 or regex.imatch(subject.subject,
71 '^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
72 )
73 )
74 and (length(headers.references) > 0 or headers.in_reply_to is not null)
75 )
76 // negate highly trusted sender domains unless they fail DMARC authentication
77 and (
78 (
79 sender.email.domain.root_domain in $high_trust_sender_root_domains
80 and not headers.auth_summary.dmarc.pass
81 )
82 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
83 )
84 and (
85 sender.email.domain.root_domain not in ("sharepointonline.com")
86 or not headers.auth_summary.dmarc.pass
87 )
88tags:
89 - "Suspicious attachment"
90 - "Suspicious content"
91attack_types:
92 - "Credential Phishing"
93 - "Malware/Ransomware"
94tactics_and_techniques:
95 - "Evasion"
96 - "Image as content"
97 - "Social engineering"
98detection_methods:
99 - "File analysis"
100 - "Natural Language Understanding"
101 - "Optical Character Recognition"
102id: "96b8b285-2116-5e45-b0ca-57b81dc87b94"