Image as content with a link to an open redirect (unsolicited)

Body contains little, no, or only disclaimer text, an image, and a link to an open redirect.

Sublime rule (View on GitHub)

 1name: "Image as content with a link to an open redirect (unsolicited)"
 2description: "Body contains little, no, or only disclaimer text, an image, and a link to an open redirect."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(body.links) < 3
 8  and 0 < (length(attachments)) < 3
 9  and all(attachments, (.file_type in $file_types_images))
10  and all(attachments, (.size > 10000))
11  // image is in body
12  and strings.icontains(body.html.raw, 'src="cid')
13  // sender domain matches no body domains
14  and all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
15  and (
16    // body text is very short
17    (
18      0 <= (length(body.current_thread.text)) < 10
19      or body.current_thread.text is null
20    )
21    or (
22      length(body.current_thread.text) < 900
23      // or body is most likely all warning banner (text contains the sender and common warning banner language)
24      and (
25        (
26          strings.contains(body.current_thread.text, sender.email.email)
27          and strings.contains(body.current_thread.text, 'caution')
28        )
29        or regex.icontains(body.current_thread.text,
30                           "intended recipient's use only|external email|sent from outside|you don't often|confidential"
31        )
32      )
33    )
34  )
35  and (
36    any(body.links,
37        any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
38        and .href_url.domain.root_domain not in $high_trust_sender_root_domains
39    )
40    or any(body.links,
41           .href_url.domain.root_domain == 'sng.link'
42           and strings.ilike(.href_url.query_params, "*fallback_redirect*")
43    )
44  )
45  // negate highly trusted sender domains unless they fail DMARC authentication
46  and (
47    (
48      sender.email.domain.root_domain in $high_trust_sender_root_domains
49      and (
50        any(distinct(headers.hops, .authentication_results.dmarc is not null),
51            strings.ilike(.authentication_results.dmarc, "*fail")
52        )
53      )
54    )
55    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
56  )
57  and (
58    not profile.by_sender().solicited
59    or (
60      profile.by_sender().any_messages_malicious_or_spam
61      and not profile.by_sender().any_false_positives
62    )
63  )
64  and not profile.by_sender().prevalence == "common"  
65
66attack_types:
67  - "Credential Phishing"
68  - "Malware/Ransomware"
69tactics_and_techniques:
70  - "Evasion"
71  - "Image as content"
72  - "Open redirect"
73  - "Social engineering"
74detection_methods:
75  - "Content analysis"
76  - "HTML analysis"
77  - "URL analysis"
78id: "f5cec36b-76ea-5cd6-958b-74f819d73a47"
to-top