Fake scan-to-email message
Message resembles an email from a scan-to-email service or device, but does not contain any attachments, instead linking to an unknown domain.
Sublime rule (View on GitHub)
1name: "Fake scan-to-email message"
2description: "Message resembles an email from a scan-to-email service or device, but does not contain any attachments, instead linking to an unknown domain."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(attachments) == 0
8 and 0 < length(body.links) < 3
9 and strings.ilike(subject.subject, "*message from*")
10 and (
11 (
12 strings.ilike(body.current_thread.text, "*scan date*", "*was sent from*")
13 and not strings.ilike(body.current_thread.text, "*unmonitored*")
14 )
15 or (
16 //
17 // This rule makes use of a beta feature and is subject to change without notice
18 // using the beta feature in custom rules is not suggested until it has been formally released
19 //
20 strings.ilike(beta.ocr(file.message_screenshot()).text,
21 "*scan date*",
22 "*was sent from*"
23 )
24 and not strings.ilike(beta.ocr(file.message_screenshot()).text,
25 "*unmonitored*"
26 )
27 )
28 )
29 and (
30 any(body.links, .href_url.domain.root_domain in~ $free_file_hosts)
31 or any(body.links, .display_url.url != .href_url.url)
32 or any(body.links, .display_url.url is null)
33 )
34 and all(body.links,
35 .href_url.domain.domain not in~ $org_domains
36 and .href_url.domain.domain not in ("aka.ms")
37 )
38 and sender.email.domain.domain not in~ $org_domains
39 and (
40 not profile.by_sender().solicited
41 or (
42 profile.by_sender().any_messages_malicious_or_spam
43 and not profile.by_sender().any_messages_benign
44 )
45 )
46 and not profile.by_sender().any_messages_benign
47
48attack_types:
49 - "Credential Phishing"
50tactics_and_techniques:
51 - "Free file host"
52 - "Social engineering"
53detection_methods:
54 - "Content analysis"
55 - "Optical Character Recognition"
56 - "Sender analysis"
57 - "URL analysis"
58id: "78851fbe-9481-5fda-b472-f0b8dfb35e1a"