Impersonation: Recipient organization in sender display name with credential theft image
Sender display name contains the recipient's organization domain while the actual email address differs. Message includes a single image attachment with OCR-detected credential theft language referencing the recipient's domain, and has no body text.
Sublime rule (View on GitHub)
1name: "Impersonation: Recipient organization in sender display name with credential theft image"
2description: "Sender display name contains the recipient's organization domain while the actual email address differs. Message includes a single image attachment with OCR-detected credential theft language referencing the recipient's domain, and has no body text."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(body.links) <= 1
8 and length(attachments) == 1
9 and strings.icontains(sender.display_name, recipients.to[0].email.domain.sld)
10 and length(recipients.to) == 1
11 and recipients.to[0].email.domain.root_domain in $org_domains
12 and
13 // No body text
14 (
15 length(body.current_thread.text) == 0 or body.current_thread.text is null
16 )
17 and all(attachments,
18 .file_type in $file_types_images
19 //
20 // This rule makes use of a beta feature and is subject to change without notice
21 // using the beta feature in custom rules is not suggested until it has been formally released
22 //
23 and strings.icontains(beta.ocr(.).text,
24 recipients.to[0].email.domain.sld
25 )
26 and any(ml.nlu_classifier(beta.ocr(.).text).intents,
27 .name == "cred_theft" and .confidence == "high"
28 )
29 )
30attack_types:
31 - "Credential Phishing"
32tactics_and_techniques:
33 - "Image as content"
34 - "Impersonation: Brand"
35 - "Social engineering"
36detection_methods:
37 - "Computer Vision"
38 - "Content analysis"
39 - "File analysis"
40 - "Natural Language Understanding"
41 - "Optical Character Recognition"
42 - "Sender analysis"
43id: "6abfb20e-ca83-5e24-ad1e-609e6df9dd24"