Spam: Fake photo share
Message contains pretexting language about sharing photos ("found these photos and thought you'd like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.
Sublime rule (View on GitHub)
1name: "Spam: Fake photo share"
2description: 'Message contains pretexting language about sharing photos ("found these photos and thought you''d like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.'
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and (
8 (
9 (
10 (
11 (length(body.plain.raw) < 500 and length(body.current_thread.text) == 0)
12 or (
13 length(body.html.display_text) < 500
14 and length(body.current_thread.text) == 0
15 )
16 or (length(body.current_thread.text) < 500)
17 )
18 and strings.ilike(subject.subject,
19 "*picture*",
20 "*photo*",
21 "*image*",
22 "*sad news*"
23 )
24 )
25 or (
26 (
27 (
28 length(body.html.display_text) < 500
29 and length(body.current_thread.text) == 0
30 )
31 and strings.ilike(body.html.display_text,
32 "*picture*",
33 "*photo*",
34 "*image*",
35 "*sad news*"
36 )
37 )
38 or (
39 (length(body.plain.raw) < 500 and length(body.current_thread.text) == 0)
40 and strings.ilike(body.plain.raw,
41 "*picture*",
42 "*photo*",
43 "*image*",
44 "*sad news*"
45 )
46 and not strings.istarts_with(body.plain.raw, "[cid:image")
47 )
48 or (
49 length(body.current_thread.text) < 500
50 and strings.ilike(body.current_thread.text,
51 "*picture*",
52 "*photo*",
53 "*image*",
54 "*sad news*"
55 )
56 )
57 )
58 or (
59 body.plain.raw is not null
60 and body.html.display_text is null
61 and length(body.current_thread.text) == 0
62 and strings.ilike(body.plain.raw,
63 "*picture*",
64 "*photo*",
65 "*image*",
66 "*sad news*",
67 "*pics*"
68 )
69 and not strings.istarts_with(body.plain.raw, "[cid:image")
70 and strings.icontains(subject.subject, sender.display_name)
71 )
72 )
73 and length(body.links) < 5
74 and any(body.links,
75 (
76 (
77 network.whois(.href_url.domain).days_old < 30
78 or not network.whois(.href_url.domain).found
79 or network.whois(.href_url.domain).found is null
80 )
81 and .href_url.domain.root_domain != sender.email.domain.root_domain
82 )
83 or (
84 length(.display_text) == 1
85 and .href_url.domain.root_domain in ("facebook.com", "youtube.com")
86 )
87 )
88 )
89 and (
90 (
91 (
92 length(headers.references) > 0
93 or not any(headers.hops,
94 any(.fields, strings.ilike(.name, "In-Reply-To"))
95 )
96 )
97 and not (
98 (
99 strings.istarts_with(subject.subject, "RE:")
100 or strings.istarts_with(subject.subject, "R:")
101 or strings.istarts_with(subject.subject, "ODG:")
102 or strings.istarts_with(subject.subject, "答复:")
103 or strings.istarts_with(subject.subject, "AW:")
104 or strings.istarts_with(subject.subject, "TR:")
105 or strings.istarts_with(subject.subject, "FWD:")
106 or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
107 )
108 )
109 )
110 or length(headers.references) == 0
111 )
112
113attack_types:
114 - "Spam"
115tactics_and_techniques:
116 - "Evasion"
117 - "Social engineering"
118detection_methods:
119 - "Content analysis"
120 - "Sender analysis"
121 - "URL analysis"
122 - "Whois"
123id: "eb086f7d-3ad7-52cd-8e16-3ce08726b9ea"