Attachment: Office file contains OLE relationship to credential phishing page
Office file OLE relationship link is a credential page, or contains credential phishing language.
Sublime rule (View on GitHub)
1name: "Attachment: Office file contains OLE relationship to credential phishing page"
2description: |
3 Office file OLE relationship link is a credential page, or contains credential phishing language.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(attachments,
9 (
10 .file_extension in~ $file_extensions_macros
11 or (
12 .file_extension is null
13 and .file_type == "unknown"
14 and .content_type == "application/octet-stream"
15 and .size < 100000000
16 )
17 )
18 and any(file.oletools(.).relationships,
19 any(ml.nlu_classifier(beta.linkanalysis(.target_url).final_dom.display_text).intents,
20 .name == "cred_theft" and .confidence in ("medium", "high")
21 )
22 or beta.linkanalysis(.target_url).credphish.disposition == "phishing"
23 )
24 )
25 and (
26 (
27 sender.email.domain.root_domain in $free_email_providers
28 and sender.email.email not in $sender_emails
29 )
30 or (
31 sender.email.domain.root_domain not in $free_email_providers
32 and sender.email.domain.domain not in $sender_domains
33 )
34 )
35attack_types:
36 - "Credential Phishing"
37tactics_and_techniques:
38 - "Evasion"
39 - "Social engineering"
40detection_methods:
41 - "File analysis"
42 - "HTML analysis"
43 - "Natural Language Understanding"
44 - "OLE analysis"
45 - "URL analysis"
46id: "d55793d0-865e-53c4-ae51-f1b0fec50ec6"