Attachment: Fake scan-to-email

 1name: "Attachment: Fake scan-to-email"
 2description: "Message and attachment resemble an email from a scan-to-email service or device with credential theft language."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.current_thread.text) < 1500
 8  and (
 9    3 of (
10      strings.icontains(body.current_thread.text, "Number of Images:"),
11      strings.icontains(body.current_thread.text, "Attachment File Type:"),
12      strings.icontains(body.current_thread.text, "Device Name:"),
13      strings.icontains(body.current_thread.text, "Device Location:")
14    )
15    or (
16      3 of (
17        strings.ilike(body.current_thread.text, "*scan date*"),
18        strings.ilike(body.current_thread.text, "*was sent from*"),
19        strings.ilike(body.current_thread.text, "*of pages*"),
20        strings.ilike(body.current_thread.text, "*scanned file*"),
21      )
22      or any(file.explode(beta.message_screenshot()),
23             3 of (
24               strings.ilike(body.current_thread.text, "*scan date*"),
25               strings.ilike(body.current_thread.text, "*was sent from*"),
26               strings.ilike(body.current_thread.text, "*of pages*"),
27               strings.ilike(body.current_thread.text, "*scanned file*"),
28               strings.icontains(body.current_thread.text, "Number of Images:"),
29               strings.icontains(body.current_thread.text,
30                                 "Attachment File Type:"
31               ),
32               strings.icontains(body.current_thread.text, "Device Name:"),
33               strings.icontains(body.current_thread.text, "Device Location:")
34             )
35      )
36    )
37  )
38  and length(filter(attachments, .file_type == "pdf")) == 1
39  and any(attachments,
40          .file_type == "pdf"
41          and any(file.explode(.),
42                  (
43                    strings.ilike(.scan.ocr.raw,
44                                  "*scan date*",
45                                  "*was sent from*",
46                                  "*of pages*",
47                                  "*verif*document*",
48                                  "*scanned file*"
49                    )
50                    or any(ml.nlu_classifier(.scan.ocr.raw).intents,
51                           .name == "cred_theft"
52                    )
53                    or any(ml.logo_detect(..).brands,
54                           .name in ("DocuSign", "Microsoft")
55                    )
56                  )
57                  and length(.scan.url.urls) == 1
58          )
59  )
60  and sender.email.domain.domain not in~ $org_domains
61  and (
62    not profile.by_sender().solicited
63    or (
64      profile.by_sender().any_messages_malicious_or_spam
65      and not profile.by_sender().any_false_positives
66    )
67  )
68  and not profile.by_sender().any_false_positives  
69
70attack_types:
71  - "Credential Phishing"
72tactics_and_techniques:
73  - "Free file host"
74  - "Image as content"
75  - "PDF"
76  - "Social engineering"
77detection_methods:
78  - "Content analysis"
79  - "File analysis"
80  - "Natural Language Understanding"
81  - "Optical Character Recognition"
82  - "Sender analysis"
83id: "ea850cc1-b5ae-5405-a9e1-43ba91ef6e21"