Attachment: Suspicious Employee Policy Update Document Lure
Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and match similar update-related terminology. This pattern has been observed used to delivery credential phishing via QR codes.
Sublime rule (View on GitHub)
1name: "Attachment: Suspicious Employee Policy Update Document Lure"
2description: "Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and match similar update-related terminology. This pattern has been observed used to delivery credential phishing via QR codes."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // the subject contains pay related items
9 (
10 strings.icontains(subject.subject, 'salary')
11 or regex.icontains(subject.subject, '\bpay(?:roll|\b)')
12 or strings.icontains(subject.subject, 'bonus')
13 or strings.icontains(subject.subject, 'incentive')
14 or strings.icontains(subject.subject, 'merit')
15 or strings.icontains(subject.subject, 'handbook')
16 or strings.icontains(subject.subject, 'benefits')
17 )
18 and (
19 strings.icontains(subject.subject, 'review')
20 or strings.icontains(subject.subject, 'evaluation')
21 or regex.icontains(subject.subject, 'eval\b')
22 or strings.icontains(subject.subject, 'assessment')
23 or strings.icontains(subject.subject, 'appraisal')
24 or strings.icontains(subject.subject, 'feedback')
25 or strings.icontains(subject.subject, 'performance')
26 or strings.icontains(subject.subject, 'adjustment')
27 or strings.icontains(subject.subject, 'increase')
28 or strings.icontains(subject.subject, 'raise')
29 or strings.icontains(subject.subject, 'change')
30 or strings.icontains(subject.subject, 'modification')
31 or strings.icontains(subject.subject, 'distribution')
32 or regex.icontains(subject.subject, 'revis(?:ed|ion)')
33 or regex.icontains(subject.subject, 'amend(?:ed|ment)')
34 or regex.icontains(subject.subject, 'update(?:d| to)')
35 )
36 )
37 and 0 < length(attachments) <= 3
38 and any(attachments,
39 .file_extension in ("doc", "docx", "docm")
40 and (
41 strings.icontains(.file_name, 'salary')
42 or regex.icontains(.file_name, '\bpay(?:roll|\b)')
43 or strings.icontains(.file_name, 'bonus')
44 or strings.icontains(.file_name, 'incentive')
45 or strings.icontains(.file_name, 'merit')
46 or strings.icontains(.file_name, 'handbook')
47 or strings.icontains(.file_name, 'benefits')
48 )
49 and (
50 strings.icontains(.file_name, 'review')
51 or strings.icontains(.file_name, 'evaluation')
52 or regex.icontains(.file_name, 'eval\b')
53 or strings.icontains(.file_name, 'assessment')
54 or strings.icontains(.file_name, 'appraisal')
55 or strings.icontains(.file_name, 'feedback')
56 or strings.icontains(.file_name, 'performance')
57 or strings.icontains(.file_name, 'adjustment')
58 or strings.icontains(.file_name, 'increase')
59 or strings.icontains(.file_name, 'raise')
60 or strings.icontains(.file_name, 'change')
61 or strings.icontains(.file_name, 'modification')
62 or strings.icontains(.file_name, 'distribution')
63 or regex.icontains(.file_name, 'revis(?:ed|ion)')
64 or regex.icontains(.file_name, 'amend(?:ed|ment)')
65 or regex.icontains(.file_name, 'update(?:d| to)')
66 )
67 )
68 and not (
69 sender.email.domain.root_domain in $high_trust_sender_root_domains
70 and coalesce(headers.auth_summary.dmarc.pass, false)
71 )
72attack_types:
73 - "Credential Phishing"
74tactics_and_techniques:
75 - "PDF"
76 - "Social engineering"
77 - "Evasion"
78detection_methods:
79 - "Content analysis"
80 - "File analysis"
81 - "Sender analysis"
82id: "a8bf1fd1-d9fa-572d-8957-51d6025a5248"