Attachment: Office file contains OLE relationship to credential phishing page

Office file OLE relationship link is a credential page, or contains credential phishing language.

Sublime rule (View on GitHub)

 1name: "Attachment: Office file contains OLE relationship to credential phishing page"
 2description: |
 3    Office file OLE relationship link is a credential page, or contains credential phishing language.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (
10            .file_extension in~ $file_extensions_macros
11            or (
12              .file_extension is null
13              and .file_type == "unknown"
14              and .content_type == "application/octet-stream"
15              and .size < 100000000
16            )
17          )
18          and any(file.oletools(.).relationships,
19                  any(ml.nlu_classifier(beta.linkanalysis(.target_url).final_dom.display_text).intents,
20                      .name == "cred_theft" and .confidence in ("medium", "high")
21                  )
22                  or beta.linkanalysis(.target_url).credphish.disposition == "phishing"
23          )
24  )
25  and (
26    (
27      sender.email.domain.root_domain in $free_email_providers
28      and sender.email.email not in $sender_emails
29    )
30    or (
31      sender.email.domain.root_domain not in $free_email_providers
32      and sender.email.domain.domain not in $sender_domains
33    )
34  )  
35attack_types:
36  - "Credential Phishing"
37tactics_and_techniques:
38  - "Evasion"
39  - "Social engineering"
40detection_methods:
41  - "File analysis"
42  - "HTML analysis"
43  - "Natural Language Understanding"
44  - "OLE analysis"
45  - "URL analysis"
46id: "d55793d0-865e-53c4-ae51-f1b0fec50ec6"
to-top