Attachment: Small text file with link containing recipient email address

calendar May 14, 2024 · Attack surface reduction  ·
Share on: linkedin copy

Attach text file is less than 1000 bytes and contains a recipients email address. Seen in the wild carrying credential phishing links.

Sublime rule (View on GitHub)

 1name: "Attachment: Small text file with link containing recipient email address"
 2description: "Attach text file is less than 1000 bytes and contains a recipients email address. Seen in the wild carrying credential phishing links."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .content_type in~ ("text/plain", "text")
 9          and any(file.explode(.),
10                  .size < 1000
11                  and any(.scan.url.urls,
12                          any(recipients.to,
13                              strings.icontains(..url, .email.email)
14                              and .email.domain.valid
15                          )
16                  )
17          )
18  )
19  and (
20    not profile.by_sender().solicited
21    or (
22      profile.by_sender().any_messages_malicious_or_spam
23      and not profile.by_sender().any_false_positives
24    )
25  )  
26tags:
27 - "Attack surface reduction"
28attack_types:
29  - "Credential Phishing"
30tactics_and_techniques:
31  - "Evasion"
32  - "Social engineering"
33detection_methods:
34  - "File analysis"
35  - "URL analysis"
36id: "c0472c9d-1e06-5177-90b1-f57620944ff5"

Related rules

to-top