Attachment: Fake scan-to-email
Message and attachment resemble an email from a scan-to-email service or device with credential theft language.
Sublime rule (View on GitHub)
1name: "Attachment: Fake scan-to-email"
2description: "Message and attachment resemble an email from a scan-to-email service or device with credential theft language."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 length(body.current_thread.text) < 1500
9 // body length without disclaimer is shorter than 1500 characters
10 or (
11 any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
12 .name == "disclaimer"
13 ),
14 .text
15 ),
16 (length(body.current_thread.text) - length(.)) < 1500
17 )
18 )
19 )
20 and (
21 3 of (
22 strings.icontains(body.current_thread.text, "Number of Images:"),
23 strings.icontains(body.current_thread.text, "Attachment File Type:"),
24 strings.icontains(body.current_thread.text, "Device Model:"),
25 strings.icontains(body.current_thread.text, "Device Name:"),
26 strings.icontains(body.current_thread.text, "Resolution:"),
27 strings.icontains(body.current_thread.text, "File Format:"),
28 strings.icontains(body.current_thread.text, "Device Location:")
29 )
30 or (
31 3 of (
32 strings.ilike(body.current_thread.text, "*scan date*"),
33 strings.ilike(body.current_thread.text, "*was sent from*"),
34 strings.ilike(body.current_thread.text, "*of pages*"),
35 strings.ilike(body.current_thread.text, "*scanned file*"),
36 )
37 or any(file.explode(file.message_screenshot()),
38 3 of (
39 strings.ilike(body.current_thread.text, "*scan date*"),
40 strings.ilike(body.current_thread.text, "*was sent from*"),
41 strings.ilike(body.current_thread.text, "*of pages*"),
42 strings.ilike(body.current_thread.text, "*scanned file*"),
43 strings.icontains(body.current_thread.text, "Number of Images:"),
44 strings.icontains(body.current_thread.text,
45 "Attachment File Type:"
46 ),
47 strings.icontains(body.current_thread.text, "Device Name:"),
48 strings.icontains(body.current_thread.text, "Device Location:"),
49 strings.icontains(body.current_thread.text, "Device Model:")
50 )
51 )
52 )
53 )
54 and (
55 (
56 length(filter(attachments, .file_type in ("pdf"))) == 1
57 and any(attachments,
58 .file_type == "pdf"
59 and (
60 any(file.explode(.),
61 (
62 strings.ilike(.scan.ocr.raw,
63 "*scan date*",
64 "*was sent from*",
65 "*of pages*",
66 "*verif*document*",
67 "*scanned file*"
68 )
69 or any(ml.nlu_classifier(.scan.ocr.raw).intents,
70 .name == "cred_theft"
71 )
72 or any(ml.logo_detect(..).brands,
73 .name in ("DocuSign", "Microsoft")
74 )
75 )
76 and length(.scan.url.urls) == 1
77 )
78 // encrypted pdf
79 or any(file.explode(.),
80 any(.scan.exiftool.fields, .key == "Encryption")
81 or (
82 .scan.entropy.entropy > 7
83 and any(.scan.strings.strings,
84 strings.icontains(., "/Encrypt")
85 )
86 )
87 )
88 )
89 )
90 )
91 or length(filter(attachments, .file_type in ("doc", "docx"))) == 1
92 )
93 and sender.email.domain.domain not in~ $org_domains
94 and (
95 not profile.by_sender().solicited
96 or (
97 profile.by_sender().any_messages_malicious_or_spam
98 and not profile.by_sender().any_messages_benign
99 )
100 )
101 and not profile.by_sender().any_messages_benign
102
103attack_types:
104 - "Credential Phishing"
105tactics_and_techniques:
106 - "Free file host"
107 - "Image as content"
108 - "PDF"
109 - "Social engineering"
110detection_methods:
111 - "Content analysis"
112 - "File analysis"
113 - "Natural Language Understanding"
114 - "Optical Character Recognition"
115 - "Sender analysis"
116id: "ea850cc1-b5ae-5405-a9e1-43ba91ef6e21"