Attachment: Office file contains OLE relationship to credential phishing page
Office file OLE relationship link is a credential page, or contains credential phishing language.
Sublime rule (View on GitHub)
1name: "Attachment: Office file contains OLE relationship to credential phishing page"
2description: |
3 Office file OLE relationship link is a credential page, or contains credential phishing language.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(attachments,
9 (
10 .file_extension in~ $file_extensions_macros
11 or (
12 .file_extension is null
13 and .file_type == "unknown"
14 and .content_type == "application/octet-stream"
15 and .size < 100000000
16 )
17 )
18 and length(file.oletools(.).relationships) < 500
19 and any(file.oletools(.).relationships,
20 (
21 any(ml.nlu_classifier(ml.link_analysis(.target_url).final_dom.display_text
22 ).intents,
23 .name == "cred_theft"
24 and .confidence in ("medium", "high")
25 )
26 and .target_url.domain.root_domain not in (
27 "google.com",
28 "goo.gl"
29 )
30 and ml.link_analysis(.target_url).effective_url.domain.domain != "login.microsoftonline.com"
31 )
32 or ml.link_analysis(.target_url).credphish.disposition == "phishing"
33 )
34 )
35 and (
36 (
37 profile.by_sender().prevalence in ("new", "outlier")
38 and not profile.by_sender().solicited
39 )
40 or (
41 profile.by_sender().any_messages_malicious_or_spam
42 and not profile.by_sender().any_messages_benign
43 )
44 )
45attack_types:
46 - "Credential Phishing"
47tactics_and_techniques:
48 - "Evasion"
49 - "Social engineering"
50detection_methods:
51 - "File analysis"
52 - "HTML analysis"
53 - "Natural Language Understanding"
54 - "OLE analysis"
55 - "URL analysis"
56id: "d55793d0-865e-53c4-ae51-f1b0fec50ec6"