PHP Mailer with common phishing attachments
Mail coming from a PHP Mailer user agent that includes attachments with commonly used names in phishing campaigns
Sublime rule (View on GitHub)
1name: "PHP Mailer with common phishing attachments"
2description: |
3 Mail coming from a PHP Mailer user agent that includes attachments with commonly used names in phishing campaigns
4references:
5 - "https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/headers_php_mailer.yml"
6type: "rule"
7severity: "medium"
8authors:
9 - twitter: "vector_sec"
10source: |
11 type.inbound
12 and strings.ilike(headers.mailer, '*phpmailer*')
13 and any(attachments, .file_name in~ ('image.png', 'name.png', 'use.png'))
14attack_types:
15 - "Credential Phishing"
16tactics_and_techniques:
17 - "Image as content"
18detection_methods:
19 - "Header analysis"
20id: "07e03563-88f6-5d2f-8730-7d17f860ba14"