Attachment: Fake attachment image lure

Message (or attached message) contains an image impersonating an Outlook attachment button.

Sublime rule (View on GitHub)

 1name: "Attachment: Fake attachment image lure"
 2description: | 
 3  Message (or attached message) contains an image impersonating an Outlook attachment button.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and (
 9    // fake file attachment preview in original email
10    any(attachments,
11        .file_type in $file_types_images
12        and any(ml.logo_detect(.).brands, .name == "FakeAttachment")
13    )
14    // fake file attachment preview in attached EML
15    or any(attachments,
16           (.content_type == "message/rfc822" or .file_extension == "eml")
17           and any(file.parse_eml(.).attachments,
18                   .file_type in $file_types_images
19                   and any(ml.logo_detect(.).brands, .name == "FakeAttachment")
20           )
21    )
22  )
23  
24  // negate highly trusted sender domains unless they fail DMARC authentication
25  and (
26    (
27      sender.email.domain.root_domain in $high_trust_sender_root_domains
28      and (
29        any(distinct(headers.hops, .authentication_results.dmarc is not null),
30            strings.ilike(.authentication_results.dmarc, "*fail")
31        )
32      )
33    )
34    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
35  )
36  and (
37    not profile.by_sender().solicited
38    or profile.by_sender().any_messages_malicious_or_spam
39  )  
40tags:
41  - "Suspicious attachment"
42  - "Suspicious content"
43attack_types:
44  - "Credential Phishing"
45  - "Malware/Ransomware"
46tactics_and_techniques:
47  - "Evasion"
48  - "Image as content"
49  - "Social engineering"
50detection_methods:
51  - "File analysis"
52  - "Natural Language Understanding"
53  - "Optical Character Recognition"
54id: "96b8b285-2116-5e45-b0ca-57b81dc87b94"

Related rules

to-top