Inline image as message with attachment or link

 1name: "Inline image as message with attachment or link"
 2description: |
 3  Using inline images in lieu of HTML or text content in the message is a known
 4  technique used to bypass content based scanning engines.
 5
 6  We've observed this technique used to deliver malware via attachments and phish credentials.  
 7type: "rule"
 8severity: "medium"
 9source: |
10  type.inbound
11  and length(body.html.raw) < 200
12  and (
13    (
14      length(body.links) > 0
15
16      // as of 20220116 there's a link parsing bug with .png inline images, so ignore those
17      and any(body.links, not strings.ilike(.href_url.url, "*.png"))
18    )
19    // cid images are treated as attachments, so we're looking for more than 1
20    or (length(attachments) > 1 and any(attachments, .file_type not in $file_types_images))
21  )
22  and strings.ilike(body.html.raw, "*img*cid*")
23  and (
24    (
25      sender.email.domain.root_domain in $free_email_providers
26      and sender.email.email not in $sender_emails
27    )
28    or (
29      sender.email.domain.root_domain not in $free_email_providers
30      and sender.email.domain.domain not in $sender_domains
31    )
32  )  
33attack_types:
34  - "Credential Phishing"
35tactics_and_techniques:
36  - "Evasion"
37  - "Image as content"
38detection_methods:
39  - "Content analysis"
40  - "HTML analysis"
41  - "URL analysis"
42id: "823d7107-2605-5671-9acb-ba172d071671"