Inline image as message with attachment or link

Dec 11, 2023 ·

Using inline images in lieu of HTML or text content in the message is a known technique used to bypass content based scanning engines.

We've observed this technique used to deliver malware via attachments and phish credentials.

Sublime rule (View on GitHub)

 1name: "Inline image as message with attachment or link"
 2description: |
 3  Using inline images in lieu of HTML or text content in the message is a known
 4  technique used to bypass content based scanning engines.
 5
 6  We've observed this technique used to deliver malware via attachments and phish credentials.  
 7type: "rule"
 8severity: "low"
 9source: |
10  type.inbound
11  and length(body.html.raw) < 200
12  and length(body.links) > 0
13  and (
14    // as of 20220116 there's a link parsing bug with .png inline images, so ignore those
15    any(body.links, not strings.ilike(.href_url.url, "*.png"))
16  
17    // cid images are treated as attachments, so we're looking for more than 1
18    or (
19      length(attachments) > 1
20      and any(attachments, .file_type not in $file_types_images)
21    )
22  )
23  and strings.ilike(body.html.raw, "*img*cid*")
24  and (
25    profile.by_sender().prevalence in ("new", "outlier")
26    or (
27      profile.by_sender().any_messages_malicious_or_spam
28      and not profile.by_sender().any_false_positives
29    )
30  )  
31attack_types:
32  - "Credential Phishing"
33tactics_and_techniques:
34  - "Evasion"
35  - "Image as content"
36detection_methods:
37  - "Content analysis"
38  - "HTML analysis"
39  - "URL analysis"
40id: "823d7107-2605-5671-9acb-ba172d071671"