Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender

 1name: "Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender"
 2description: "Detects sextortion attempts leveraging breach data, including names, addresses, phone numbers and frequently using Google Maps/Bing Maps streetview images to bolster confidence and fear."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  
 8  // sender is a freemail domain
 9  and sender.email.domain.root_domain in $free_email_providers
10  
11  // attachment filename is the same as the subject
12  and any(attachments,
13          (
14            strings.ilevenshtein(strings.concat(subject.subject,
15                                                ".",
16                                                .file_extension
17                                 ),
18                                 .file_name
19            ) <= 1
20          )
21          or strings.contains(.file_name, subject.subject)
22  )
23  
24  // body contains a US address, or the body is the subject
25  and (
26    regex.icontains(body.current_thread.text,
27                    '\d+\s[\w\s.]+(?:\n)?[\w\s]+\s[A-Z]{2}\s\d{5}(?:-\d{4})?(?:\n)?|\d+\s[\w\s.]+(?:Street|St|Avenue|Ave|Boulevard|Blvd|Road|Rd|Drive|Dr|Lane|Ln|Court|Ct|Way|Place|Pl|Terrace|Ter|Circle|Cir|Parkway|Pkwy|Trail|Trl|Highway|Hwy|Loop)\b\.?',
28                    // a Canadian address
29                    '\d+\s[\w\s.]+(?:\n)?[\w\s]+\s((?:Ontario|ON)|(?:Quebec|QC)|(?:Nova Scotia|NS)|(?:New Brunswick|NB)|(?:Manitoba|MB)|(?:British Columbia|BC)|(?:Prince Edward Island|PEI?)|(?:Saskatchewan|SK)|(?:Alberta|AB)|(?:Newfoundland and Labrador|NL)|(?:Yukon|YT)|(?:Northwest Territories|NT)|(?:Nunavut|NU))\s*[ABCEGHJ-NPRSTVXY]\d[ABCEGHJ-NPRSTV-Z][ -]?\d[ABCEGHJ-NPRSTV-Z]\d'
30    )
31    or subject.subject == body.current_thread.text
32  )
33  
34  // there's a PDF attachment with an image at a depth of one, measuring 148x148 and containing a QR code that is a BTC address
35  and any(attachments,
36          .file_type == "pdf"
37          and any(file.explode(.),
38                  (
39                    (.depth == 1 and .flavors.mime == "image/jpeg")
40                    and (
41                      .scan.exiftool.image_height == 148
42                      and .scan.exiftool.image_width == 148
43                      and regex.match(.scan.qr.data,
44                                      '(1[a-km-zA-HJ-NP-Z1-9]{25,34}|3[a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[qp-z0-9]{39,59})'
45                      )
46                    )
47                  )
48                  or (
49                    any(.scan.strings.strings,
50                        regex.icontains(.,
51                                        'Amount(?:\s*\w+){0,3}\s*:?\s*(?:USD\s*)?(?:\$\s?\d+|\d+\s?\$?)'
52                        )
53                    )
54                    and any(.scan.strings.strings,
55                            regex.icontains(.,
56                                            '(\bBITCOIN\b|\bBTC\b|\bLTC\b|Wallet)'
57                            )
58                    )
59                  )
60          )
61  )  
62attack_types:
63  - "BEC/Fraud"
64tactics_and_techniques:
65  - "Free email provider"
66  - "PDF"
67  - "Social engineering"
68  - "QR code"
69detection_methods:
70  - "Content analysis"
71  - "File analysis"
72  - "QR code analysis"
73id: "efb5a213-df55-5ddc-a300-ad3a6da8e74e"