Attachment: Fake attachment image lure
Message (or attached message) contains an image impersonating an Outlook attachment button.
Sublime rule (View on GitHub)
1name: "Attachment: Fake attachment image lure"
2description: |
3 Message (or attached message) contains an image impersonating an Outlook attachment button.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and (
9 // fake file attachment preview in original email
10 any(attachments,
11 .file_type in $file_types_images
12 and any(ml.logo_detect(.).brands, .name == "FakeAttachment")
13 )
14 // fake file attachment preview in attached EML
15 or any(attachments,
16 (.content_type == "message/rfc822" or .file_extension == "eml")
17 and any(file.parse_eml(.).attachments,
18 .file_type in $file_types_images
19 and any(ml.logo_detect(.).brands, .name == "FakeAttachment")
20 )
21 )
22 )
23
24 // negate highly trusted sender domains unless they fail DMARC authentication
25 and (
26 (
27 sender.email.domain.root_domain in $high_trust_sender_root_domains
28 and not headers.auth_summary.dmarc.pass
29 )
30 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
31 )
32
33 and (
34 not profile.by_sender().solicited
35 or profile.by_sender().any_messages_malicious_or_spam
36 )
37tags:
38 - "Suspicious attachment"
39 - "Suspicious content"
40attack_types:
41 - "Credential Phishing"
42 - "Malware/Ransomware"
43tactics_and_techniques:
44 - "Evasion"
45 - "Image as content"
46 - "Social engineering"
47detection_methods:
48 - "File analysis"
49 - "Natural Language Understanding"
50 - "Optical Character Recognition"
51id: "96b8b285-2116-5e45-b0ca-57b81dc87b94"