Attachment: Encrypted zip file with payment-related lure

 1name: "Attachment: Encrypted zip file with payment-related lure"
 2description: "Detects messages containing zip file attachments with payment-themed content that reference encrypted files, passwords, and payment details. The rule looks for specific patterns indicating the attachment is encrypted and contains payment-related information, commonly used to evade security scanning by requiring manual extraction."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) > 0
 8  // 3 instances of zip/encrypted/payment information
 9  and 3 of (
10    regex.icontains(body.current_thread.text, 'zip file.{1,50}encrypted'),
11    regex.icontains(body.current_thread.text, 'attachment.{1,30}encrypted'),
12    regex.icontains(body.current_thread.text,
13                    'password.{1,5}is.{1,5}[A-Z0-9]{8,}'
14    ),
15    regex.icontains(body.current_thread.text,
16                    'details.{1,20}payment.{1,30}attach'
17    ),
18    strings.icontains(subject.subject, "you have received"),
19    strings.icontains(subject.subject, "new debit"),
20    strings.icontains(subject.subject, "payment confirmation"),
21    strings.icontains(subject.subject, "invoice attached")
22  )
23  and (
24    // one attachment included and the file is a zip
25    attachments[0].file_extension == "zip"
26    and (
27      regex.icontains(attachments[0].file_name,
28                      'payment|invoice|receipt|document|bank'
29      )
30      // long uppercase passwords
31      or regex.contains(body.current_thread.text, '[A-Z]{10,}')
32    )
33  )  
34
35attack_types:
36  - "BEC/Fraud"
37  - "Malware/Ransomware"
38tactics_and_techniques:
39  - "Encryption"
40  - "Evasion"
41  - "Social engineering"
42detection_methods:
43  - "Archive analysis"
44  - "Content analysis"
45  - "File analysis"
46id: "5d1eb7af-178b-50a0-85ee-d9eb4ffe4c6c"