Impersonation: Recipient organization in sender display name with credential theft image

 1name: "Impersonation: Recipient organization in sender display name with credential theft image"
 2description: "Sender display name contains the recipient's organization domain while the actual email address differs. Message includes a single image attachment with OCR-detected credential theft language referencing the recipient's domain, and has no body text."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) <= 1
 8  and length(attachments) == 1
 9  and strings.icontains(sender.display_name, recipients.to[0].email.domain.sld)
10  and length(recipients.to) == 1
11  and recipients.to[0].email.domain.root_domain in $org_domains
12  and 
13  // No body text
14  (
15    length(body.current_thread.text) == 0 or body.current_thread.text is null
16  )
17  and all(attachments,
18          .file_type in $file_types_images
19          //
20          // This rule makes use of a beta feature and is subject to change without notice
21          // using the beta feature in custom rules is not suggested until it has been formally released
22          //
23          and strings.icontains(beta.ocr(.).text,
24                                recipients.to[0].email.domain.sld
25          )
26          and any(ml.nlu_classifier(beta.ocr(.).text).intents,
27                  .name == "cred_theft" and .confidence == "high"
28          )
29  )  
30attack_types:
31  - "Credential Phishing"
32tactics_and_techniques:
33  - "Image as content"
34  - "Impersonation: Brand"
35  - "Social engineering"
36detection_methods:
37  - "Computer Vision"
38  - "Content analysis"
39  - "File analysis"
40  - "Natural Language Understanding"
41  - "Optical Character Recognition"
42  - "Sender analysis"
43id: "6abfb20e-ca83-5e24-ad1e-609e6df9dd24"