Fake scan-to-email message
Message resembles an email from a scan-to-email service or device, but does not contain any attachments, instead linking to an unknown domain.
Sublime rule (View on GitHub)
1name: "Fake scan-to-email message"
2description: "Message resembles an email from a scan-to-email service or device, but does not contain any attachments, instead linking to an unknown domain."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(attachments) == 0
8 and 0 < length(body.links) < 3
9 and strings.ilike(subject.subject, "*message from*")
10 and (
11 strings.ilike(body.current_thread.text, "*scan date*", "*was sent from*")
12 or any(file.explode(beta.message_screenshot()),
13 strings.ilike(.scan.ocr.raw, "*scan date*", "*was sent from*")
14 )
15 )
16 and (
17 any(body.links, .href_url.domain.root_domain in~ $free_file_hosts)
18 or any(body.links, .display_url.url != .href_url.url)
19 or any(body.links, .display_url.url is null)
20 )
21 and all(body.links,
22 .href_url.domain.domain not in~ $org_domains
23 and .href_url.domain.domain not in ("aka.ms")
24 )
25 and sender.email.domain.domain not in~ $org_domains
26 and (
27 not profile.by_sender().solicited
28 or (
29 profile.by_sender().any_messages_malicious_or_spam
30 and not profile.by_sender().any_false_positives
31 )
32 )
33 and not profile.by_sender().any_false_positives
34
35attack_types:
36 - "Credential Phishing"
37tactics_and_techniques:
38 - "Free file host"
39 - "Social engineering"
40detection_methods:
41 - "Content analysis"
42 - "Optical Character Recognition"
43 - "Sender analysis"
44 - "URL analysis"
45id: "78851fbe-9481-5fda-b472-f0b8dfb35e1a"