Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender

calendar Apr 3, 2024  ·
Share on: linkedin copy

This rule identifies messages with an RFC822 attachment contains language indicative of suspicious file-sharing activity. It checks both the original sender and the nested sender against highly trusted domains. The original message is unsolicited, and has not been previously flagged as a false positive.

Sublime rule (View on GitHub)

 1name: "Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender"
 2description: "This rule identifies messages with an RFC822 attachment contains language indicative of suspicious file-sharing activity. It checks both the original sender and the nested sender against highly trusted domains. The original message is unsolicited, and has not been previously flagged as a false positive."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_type == "unknown"
 9          and .content_type == "message/rfc822"
10          and regex.contains(file.parse_eml(.).subject.subject,
11                             '(shared.{0,30}with you|View Document)'
12          )
13          and 0 < length(file.parse_eml(.).body.links) < 10
14          and file.parse_eml(.).sender.email.email not in $recipient_emails
15  
16          // exclude bounce backs & read receipts
17          and not strings.like(file.parse_eml(.).sender.email.local_part,
18                               "*postmaster*",
19                               "*mailer-daemon*",
20                               "*administrator*"
21          )
22          and not regex.imatch(file.parse_eml(.).subject.subject,
23                               "(undeliverable|read:).*"
24          )
25          and not any(file.parse_eml(.).attachments,
26                      .content_type == "message/delivery-status"
27          )
28  
29          // negate highly trusted sender domains in the nested eml unless they fail DMARC
30          and (
31            (
32              file.parse_eml(.).sender.email.domain.root_domain in $high_trust_sender_root_domains
33              and (
34                any(distinct(file.parse_eml(.).headers.hops,
35                             .authentication_results.dmarc is not null
36                    ),
37                    strings.ilike(.authentication_results.dmarc, "*fail")
38                )
39              )
40            )
41            or file.parse_eml(.).sender.email.domain.root_domain not in $high_trust_sender_root_domains
42          )
43          // negate org domains that passed dmarc
44          and not file.parse_eml(.).sender.email.domain.root_domain in $org_domains
45  )
46  
47  // negate highly trusted sender domains unless they fail DMARC authentication
48  and (
49    (
50      sender.email.domain.root_domain in $high_trust_sender_root_domains
51      and (
52        any(distinct(headers.hops, .authentication_results.dmarc is not null),
53            strings.ilike(.authentication_results.dmarc, "*fail")
54        )
55      )
56    )
57    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
58  )
59  and (
60    not profile.by_sender().solicited
61    or (
62      profile.by_sender().any_messages_malicious_or_spam
63      and not profile.by_sender().any_false_positives
64    )
65  )
66  and not profile.by_sender().any_false_positives  
67
68attack_types:
69  - "Credential Phishing"
70tactics_and_techniques:
71  - "Evasion"
72  - "Social engineering"
73detection_methods:
74  - "File analysis"
75  - "Header analysis"
76  - "Natural Language Understanding"
77  - "Sender analysis"
78id: "d96854d7-d0a2-5342-a363-cee1ad51e7c9"
to-top