Fake scan-to-email message

 1name: "Fake scan-to-email message"
 2description: "Message resembles an email from a scan-to-email service or device, but does not contain any attachments, instead linking to an unknown domain."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) == 0
 8  and 0 < length(body.links) < 3
 9  and strings.ilike(subject.subject, "*message from*")
10  and (
11    strings.ilike(body.current_thread.text, "*scan date*", "*was sent from*")
12    or any(file.explode(beta.message_screenshot()),
13           strings.ilike(.scan.ocr.raw, "*scan date*", "*was sent from*")
14    )
15  )
16  and (
17    any(body.links, .href_url.domain.root_domain in~ $free_file_hosts)
18    or any(body.links, .display_url.url != .href_url.url)
19    or any(body.links, .display_url.url is null)
20  )
21  and all(body.links,
22          .href_url.domain.domain not in~ $org_domains
23          and .href_url.domain.domain not in ("aka.ms")
24  )
25  and sender.email.domain.domain not in~ $org_domains
26  and (
27    not profile.by_sender().solicited
28    or (
29      profile.by_sender().any_messages_malicious_or_spam
30      and not profile.by_sender().any_false_positives
31    )
32  )
33  and not profile.by_sender().any_false_positives  
34
35attack_types:
36  - "Credential Phishing"
37tactics_and_techniques:
38  - "Free file host"
39  - "Social engineering"
40detection_methods:
41  - "Content analysis"
42  - "Optical Character Recognition"
43  - "Sender analysis"
44  - "URL analysis"
45id: "78851fbe-9481-5fda-b472-f0b8dfb35e1a"