Attachment: Small text file with link containing recipient email address
Attach text file is less than 1000 bytes and contains a recipients email address. Seen in the wild carrying credential phishing links.
Sublime rule (View on GitHub)
1name: "Attachment: Small text file with link containing recipient email address"
2description: "Attach text file is less than 1000 bytes and contains a recipients email address. Seen in the wild carrying credential phishing links."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(attachments,
8 .content_type in~ ("text/plain", "text")
9 and any(file.explode(.),
10 .size < 1000
11 and any(.scan.url.urls,
12 any(recipients.to,
13 strings.icontains(..url, .email.email)
14 and .email.domain.valid
15 )
16 )
17 )
18 )
19 and (
20 not profile.by_sender().solicited
21 or (
22 profile.by_sender().any_messages_malicious_or_spam
23 and not profile.by_sender().any_false_positives
24 )
25 )
26tags:
27 - "Attack surface reduction"
28attack_types:
29 - "Credential Phishing"
30tactics_and_techniques:
31 - "Evasion"
32 - "Social engineering"
33detection_methods:
34 - "File analysis"
35 - "URL analysis"
36id: "c0472c9d-1e06-5177-90b1-f57620944ff5"