Fake scan-to-email message

 1name: "Fake scan-to-email message"
 2description: "Message resembles an email from a scan-to-email service or device, but does not contain any attachments, instead linking to an unknown domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) == 0
 8  and 0 < length(body.links) < 3
 9  and strings.ilike(subject.subject, "*message from*")
10  and (
11    (
12      strings.ilike(body.current_thread.text, "*scan date*", "*was sent from*")
13      and not strings.ilike(body.current_thread.text, "*unmonitored*")
14    )
15    or any(file.explode(beta.message_screenshot()),
16           strings.ilike(.scan.ocr.raw, "*scan date*", "*was sent from*")
17           and not strings.ilike(.scan.ocr.raw, "*unmonitored*")
18    )
19  )
20  and (
21    any(body.links, .href_url.domain.root_domain in~ $free_file_hosts)
22    or any(body.links, .display_url.url != .href_url.url)
23    or any(body.links, .display_url.url is null)
24  )
25  and all(body.links,
26          .href_url.domain.domain not in~ $org_domains
27          and .href_url.domain.domain not in ("aka.ms")
28  )
29  and sender.email.domain.domain not in~ $org_domains
30  and (
31    not profile.by_sender().solicited
32    or (
33      profile.by_sender().any_messages_malicious_or_spam
34      and not profile.by_sender().any_false_positives
35    )
36  )
37  and not profile.by_sender().any_false_positives  
38
39attack_types:
40  - "Credential Phishing"
41tactics_and_techniques:
42  - "Free file host"
43  - "Social engineering"
44detection_methods:
45  - "Content analysis"
46  - "Optical Character Recognition"
47  - "Sender analysis"
48  - "URL analysis"
49id: "78851fbe-9481-5fda-b472-f0b8dfb35e1a"