Inline image as message with attachment or link
Using inline images in lieu of HTML or text content in the message is a known technique used to bypass content based scanning engines.
We've observed this technique used to deliver malware via attachments and phish credentials.
Sublime rule (View on GitHub)
1name: "Inline image as message with attachment or link"
2description: |
3 Using inline images in lieu of HTML or text content in the message is a known
4 technique used to bypass content based scanning engines.
5
6 We've observed this technique used to deliver malware via attachments and phish credentials.
7type: "rule"
8severity: "low"
9source: |
10 type.inbound
11 and length(body.html.raw) < 200
12 and length(body.links) > 0
13 and (
14 // as of 20220116 there's a link parsing bug with .png inline images, so ignore those
15 any(body.links, not strings.ilike(.href_url.url, "*.png"))
16
17 // cid images are treated as attachments, so we're looking for more than 1
18 or (
19 length(attachments) > 1
20 and any(attachments, .file_type not in $file_types_images)
21 )
22 )
23 and strings.ilike(body.html.raw, "*img*cid*")
24 and (
25 profile.by_sender().prevalence in ("new", "outlier")
26 or (
27 profile.by_sender().any_messages_malicious_or_spam
28 and not profile.by_sender().any_false_positives
29 )
30 )
31attack_types:
32 - "Credential Phishing"
33tactics_and_techniques:
34 - "Evasion"
35 - "Image as content"
36detection_methods:
37 - "Content analysis"
38 - "HTML analysis"
39 - "URL analysis"
40id: "823d7107-2605-5671-9acb-ba172d071671"