Credential Phishing: Hyper-linked image leading to free file host

calendar May 2, 2024  ·
Share on: linkedin copy

This rule detects messages with short or null bodies, where all attachments are images, and the image is hyperlinking to a free_file_host from an unsolicited and untrusted sender.

Sublime rule (View on GitHub)

 1name: "Credential Phishing: Hyper-linked image leading to free file host"
 2description: "This rule detects messages with short or null bodies, where all attachments are images, and the image is hyperlinking to a free_file_host from an unsolicited and untrusted sender."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) > 0
 8  and 0 < length(attachments) < 8
 9  and all(attachments, .file_type in $file_types_images and .size > 2000)
10  and any(body.links,
11          // fingerprints of a hyperlinked image
12          .display_text is null
13          and .display_url.url is null
14          and .href_url.domain.root_domain in $free_file_hosts
15  )
16  and (
17    // body text is very short
18    (
19      0 <= (length(body.current_thread.text)) < 10
20      or body.current_thread.text is null
21    )
22    or (
23      length(body.current_thread.text) < 900
24      // or body is most likely all warning banner (text contains the sender and common warning banner language)
25      and (
26        (
27          strings.contains(body.current_thread.text, sender.email.email)
28          and strings.contains(body.current_thread.text, 'caution')
29        )
30        or regex.icontains(body.current_thread.text,
31                           "intended recipient's use only|external email|sent from outside|you don't often|confidential"
32        )
33      )
34    )
35  )
36  
37  // negate highly trusted sender domains unless they fail DMARC authentication
38  and (
39    (
40      sender.email.domain.root_domain in $high_trust_sender_root_domains
41      and (
42        any(distinct(headers.hops, .authentication_results.dmarc is not null),
43            strings.ilike(.authentication_results.dmarc, "*fail")
44        )
45      )
46    )
47    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48  )
49  
50  // not solicited or previously flagged malicious/spam
51  and (
52    not profile.by_sender().solicited
53    or profile.by_sender().any_messages_malicious_or_spam
54  )
55  
56  // negate legitimate canva emails
57  and not (
58    strings.contains(sender.display_name, "via Canva")
59    and sender.email.domain.domain == "canva.com"
60    and (
61      any(distinct(headers.hops, .authentication_results.dmarc is not null),
62          strings.ilike(.authentication_results.dmarc, "*pass")
63      )
64    )
65  )  
66attack_types:
67  - "Credential Phishing"
68tactics_and_techniques:
69  - "Evasion"
70  - "Free file host"
71  - "Image as content"
72  - "Social engineering"
73detection_methods:
74  - "Content analysis"
75  - "Header analysis"
76  - "Sender analysis"
77  - "URL analysis"
78
79id: "f5cb1eca-667c-5750-9f00-b2b79c684ab1"
to-top