Attachment: Fake scan-to-email
Message and attachment resemble an email from a scan-to-email service or device with credential theft language.
Sublime rule (View on GitHub)
1name: "Attachment: Fake scan-to-email"
2description: "Message and attachment resemble an email from a scan-to-email service or device with credential theft language."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.current_thread.text) < 1500
8 and (
9 3 of (
10 strings.icontains(body.current_thread.text, "Number of Images:"),
11 strings.icontains(body.current_thread.text, "Attachment File Type:"),
12 strings.icontains(body.current_thread.text, "Device Model:"),
13 strings.icontains(body.current_thread.text, "Device Name:"),
14 strings.icontains(body.current_thread.text, "Resolution:"),
15 strings.icontains(body.current_thread.text, "File Format:"),
16 strings.icontains(body.current_thread.text, "Device Location:")
17 )
18 or (
19 3 of (
20 strings.ilike(body.current_thread.text, "*scan date*"),
21 strings.ilike(body.current_thread.text, "*was sent from*"),
22 strings.ilike(body.current_thread.text, "*of pages*"),
23 strings.ilike(body.current_thread.text, "*scanned file*"),
24 )
25 or any(file.explode(beta.message_screenshot()),
26 3 of (
27 strings.ilike(body.current_thread.text, "*scan date*"),
28 strings.ilike(body.current_thread.text, "*was sent from*"),
29 strings.ilike(body.current_thread.text, "*of pages*"),
30 strings.ilike(body.current_thread.text, "*scanned file*"),
31 strings.icontains(body.current_thread.text, "Number of Images:"),
32 strings.icontains(body.current_thread.text,
33 "Attachment File Type:"
34 ),
35 strings.icontains(body.current_thread.text, "Device Name:"),
36 strings.icontains(body.current_thread.text, "Device Location:"),
37 strings.icontains(body.current_thread.text, "Device Model:")
38 )
39 )
40 )
41 )
42 and length(filter(attachments, .file_type == "pdf")) == 1
43 and any(attachments,
44 .file_type == "pdf"
45 and (
46 any(file.explode(.),
47 (
48 strings.ilike(.scan.ocr.raw,
49 "*scan date*",
50 "*was sent from*",
51 "*of pages*",
52 "*verif*document*",
53 "*scanned file*"
54 )
55 or any(ml.nlu_classifier(.scan.ocr.raw).intents,
56 .name == "cred_theft"
57 )
58 or any(ml.logo_detect(..).brands,
59 .name in ("DocuSign", "Microsoft")
60 )
61 )
62 and length(.scan.url.urls) == 1
63 )
64 // encrypted pdf
65 or any(file.explode(.),
66 any(.scan.exiftool.fields, .key == "Encryption")
67 or (
68 .scan.entropy.entropy > 7
69 and any(.scan.strings.strings,
70 strings.icontains(., "/Encrypt")
71 )
72 )
73 )
74 )
75 )
76 and sender.email.domain.domain not in~ $org_domains
77 and (
78 not profile.by_sender().solicited
79 or (
80 profile.by_sender().any_messages_malicious_or_spam
81 and not profile.by_sender().any_false_positives
82 )
83 )
84 and not profile.by_sender().any_false_positives
85
86attack_types:
87 - "Credential Phishing"
88tactics_and_techniques:
89 - "Free file host"
90 - "Image as content"
91 - "PDF"
92 - "Social engineering"
93detection_methods:
94 - "Content analysis"
95 - "File analysis"
96 - "Natural Language Understanding"
97 - "Optical Character Recognition"
98 - "Sender analysis"
99id: "ea850cc1-b5ae-5405-a9e1-43ba91ef6e21"