Attachment: Fake scan-to-email
Message and attachment resemble an email from a scan-to-email service or device with credential theft language.
Sublime rule (View on GitHub)
1name: "Attachment: Fake scan-to-email"
2description: "Message and attachment resemble an email from a scan-to-email service or device with credential theft language."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.current_thread.text) < 1500
8 and (
9 3 of (
10 strings.icontains(body.current_thread.text, "Number of Images:"),
11 strings.icontains(body.current_thread.text, "Attachment File Type:"),
12 strings.icontains(body.current_thread.text, "Device Name:"),
13 strings.icontains(body.current_thread.text, "Device Location:")
14 )
15 or (
16 3 of (
17 strings.ilike(body.current_thread.text, "*scan date*"),
18 strings.ilike(body.current_thread.text, "*was sent from*"),
19 strings.ilike(body.current_thread.text, "*of pages*"),
20 strings.ilike(body.current_thread.text, "*scanned file*"),
21 )
22 or any(file.explode(beta.message_screenshot()),
23 3 of (
24 strings.ilike(body.current_thread.text, "*scan date*"),
25 strings.ilike(body.current_thread.text, "*was sent from*"),
26 strings.ilike(body.current_thread.text, "*of pages*"),
27 strings.ilike(body.current_thread.text, "*scanned file*"),
28 strings.icontains(body.current_thread.text, "Number of Images:"),
29 strings.icontains(body.current_thread.text,
30 "Attachment File Type:"
31 ),
32 strings.icontains(body.current_thread.text, "Device Name:"),
33 strings.icontains(body.current_thread.text, "Device Location:")
34 )
35 )
36 )
37 )
38 and length(filter(attachments, .file_type == "pdf")) == 1
39 and any(attachments,
40 .file_type == "pdf"
41 and any(file.explode(.),
42 (
43 strings.ilike(.scan.ocr.raw,
44 "*scan date*",
45 "*was sent from*",
46 "*of pages*",
47 "*verif*document*",
48 "*scanned file*"
49 )
50 or any(ml.nlu_classifier(.scan.ocr.raw).intents,
51 .name == "cred_theft"
52 )
53 or any(ml.logo_detect(..).brands,
54 .name in ("DocuSign", "Microsoft")
55 )
56 )
57 and length(.scan.url.urls) == 1
58 )
59 )
60 and sender.email.domain.domain not in~ $org_domains
61 and (
62 not profile.by_sender().solicited
63 or (
64 profile.by_sender().any_messages_malicious_or_spam
65 and not profile.by_sender().any_false_positives
66 )
67 )
68 and not profile.by_sender().any_false_positives
69
70attack_types:
71 - "Credential Phishing"
72tactics_and_techniques:
73 - "Free file host"
74 - "Image as content"
75 - "PDF"
76 - "Social engineering"
77detection_methods:
78 - "Content analysis"
79 - "File analysis"
80 - "Natural Language Understanding"
81 - "Optical Character Recognition"
82 - "Sender analysis"
83id: "ea850cc1-b5ae-5405-a9e1-43ba91ef6e21"