Attachment: Fake attachment image lure

 1name: "Attachment: Fake attachment image lure"
 2description: | 
 3  Message (or attached message) contains an image impersonating an Outlook attachment button.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    // fake file attachment preview in original email
10    any(attachments,
11        .file_type in $file_types_images
12        and any(ml.logo_detect(.).brands, .name == "FakeAttachment")
13    )
14    // fake file attachment preview in attached EML
15    or any(attachments,
16           (.content_type == "message/rfc822" or .file_extension == "eml")
17           and any(file.parse_eml(.).attachments,
18                   .file_type in $file_types_images
19                   and any(ml.logo_detect(.).brands, .name == "FakeAttachment")
20           )
21    )
22  )
23  
24  // negate highly trusted sender domains unless they fail DMARC authentication
25  and (
26    (
27      sender.email.domain.root_domain in $high_trust_sender_root_domains
28      and not headers.auth_summary.dmarc.pass
29    )
30    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
31  )
32  
33  and (
34    not profile.by_sender().solicited
35    or profile.by_sender().any_messages_malicious_or_spam
36  )  
37tags:
38  - "Suspicious attachment"
39  - "Suspicious content"
40attack_types:
41  - "Credential Phishing"
42  - "Malware/Ransomware"
43tactics_and_techniques:
44  - "Evasion"
45  - "Image as content"
46  - "Social engineering"
47detection_methods:
48  - "File analysis"
49  - "Natural Language Understanding"
50  - "Optical Character Recognition"
51id: "96b8b285-2116-5e45-b0ca-57b81dc87b94"