PHP Mailer with common phishing attachments

Mail coming from a PHP Mailer user agent that includes attachments with commonly used names in phishing campaigns

Sublime rule (View on GitHub)

 1name: "PHP Mailer with common phishing attachments"
 2description: |
 3    Mail coming from a PHP Mailer user agent that includes attachments with commonly used names in phishing campaigns
 4references:
 5  - "https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/headers_php_mailer.yml"
 6type: "rule"
 7severity: "medium"
 8authors:
 9  - twitter: "vector_sec"
10source: |
11  type.inbound
12  and strings.ilike(headers.mailer, '*phpmailer*')
13  and any(attachments, .file_name in~ ('image.png', 'name.png', 'use.png'))  
14attack_types:
15  - "Credential Phishing"
16tactics_and_techniques:
17  - "Image as content"
18detection_methods:
19  - "Header analysis"
20id: "07e03563-88f6-5d2f-8730-7d17f860ba14"
to-top