Attachment: Fake scan-to-email

Message and attachment resemble an email from a scan-to-email service or device with credential theft language.

Sublime rule (View on GitHub)

  1name: "Attachment: Fake scan-to-email"
  2description: "Message and attachment resemble an email from a scan-to-email service or device with credential theft language."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    length(body.current_thread.text) < 1500
  9    // body length without disclaimer is shorter than 1500 characters
 10    or (
 11      any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
 12                     .name == "disclaimer"
 13              ),
 14              .text
 15          ),
 16          (length(body.current_thread.text) - length(.)) < 1500
 17      )
 18    )
 19  )
 20  and (
 21    3 of (
 22      strings.icontains(body.current_thread.text, "Number of Images:"),
 23      strings.icontains(body.current_thread.text, "Attachment File Type:"),
 24      strings.icontains(body.current_thread.text, "Device Model:"),
 25      strings.icontains(body.current_thread.text, "Device Name:"),
 26      strings.icontains(body.current_thread.text, "Resolution:"),
 27      strings.icontains(body.current_thread.text, "File Format:"),
 28      strings.icontains(body.current_thread.text, "Device Location:")
 29    )
 30    or (
 31      3 of (
 32        strings.ilike(body.current_thread.text, "*scan date*"),
 33        strings.ilike(body.current_thread.text, "*was sent from*"),
 34        strings.ilike(body.current_thread.text, "*of pages*"),
 35        strings.ilike(body.current_thread.text, "*scanned file*"),
 36      )
 37      or any(file.explode(beta.message_screenshot()),
 38             3 of (
 39               strings.ilike(body.current_thread.text, "*scan date*"),
 40               strings.ilike(body.current_thread.text, "*was sent from*"),
 41               strings.ilike(body.current_thread.text, "*of pages*"),
 42               strings.ilike(body.current_thread.text, "*scanned file*"),
 43               strings.icontains(body.current_thread.text, "Number of Images:"),
 44               strings.icontains(body.current_thread.text,
 45                                 "Attachment File Type:"
 46               ),
 47               strings.icontains(body.current_thread.text, "Device Name:"),
 48               strings.icontains(body.current_thread.text, "Device Location:"),
 49               strings.icontains(body.current_thread.text, "Device Model:")
 50             )
 51      )
 52    )
 53  )
 54  and (
 55    (
 56      length(filter(attachments, .file_type in ("pdf"))) == 1
 57      and any(attachments,
 58              .file_type == "pdf"
 59              and (
 60                any(file.explode(.),
 61                    (
 62                      strings.ilike(.scan.ocr.raw,
 63                                    "*scan date*",
 64                                    "*was sent from*",
 65                                    "*of pages*",
 66                                    "*verif*document*",
 67                                    "*scanned file*"
 68                      )
 69                      or any(ml.nlu_classifier(.scan.ocr.raw).intents,
 70                             .name == "cred_theft"
 71                      )
 72                      or any(ml.logo_detect(..).brands,
 73                             .name in ("DocuSign", "Microsoft")
 74                      )
 75                    )
 76                    and length(.scan.url.urls) == 1
 77                )
 78                // encrypted pdf
 79                or any(file.explode(.),
 80                       any(.scan.exiftool.fields, .key == "Encryption")
 81                       or (
 82                         .scan.entropy.entropy > 7
 83                         and any(.scan.strings.strings,
 84                                 strings.icontains(., "/Encrypt")
 85                         )
 86                       )
 87                )
 88              )
 89      )
 90    )
 91    or length(filter(attachments, .file_type in ("doc", "docx"))) == 1
 92  )
 93  and sender.email.domain.domain not in~ $org_domains
 94  and (
 95    not profile.by_sender().solicited
 96    or (
 97      profile.by_sender().any_messages_malicious_or_spam
 98      and not profile.by_sender().any_messages_benign
 99    )
100  )
101  and not profile.by_sender().any_messages_benign  
102
103attack_types:
104  - "Credential Phishing"
105tactics_and_techniques:
106  - "Free file host"
107  - "Image as content"
108  - "PDF"
109  - "Social engineering"
110detection_methods:
111  - "Content analysis"
112  - "File analysis"
113  - "Natural Language Understanding"
114  - "Optical Character Recognition"
115  - "Sender analysis"
116id: "ea850cc1-b5ae-5405-a9e1-43ba91ef6e21"
to-top