Spam: Fake photo share

Message contains pretexting language about sharing photos ("found these photos and thought you'd like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.

Sublime rule (View on GitHub)

  1name: "Spam: Fake photo share"
  2description: 'Message contains pretexting language about sharing photos ("found these photos and thought you''d like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.'
  3type: "rule"
  4severity: "low"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      (
 10        (
 11          (length(body.plain.raw) < 500 and length(body.current_thread.text) == 0)
 12          or (
 13            length(body.html.display_text) < 500
 14            and length(body.current_thread.text) == 0
 15          )
 16          or (length(body.current_thread.text) < 500)
 17        )
 18        and strings.ilike(subject.subject,
 19                          "*picture*",
 20                          "*photo*",
 21                          "*image*",
 22                          "*sad news*"
 23        )
 24      )
 25      or (
 26        (
 27          (
 28            length(body.html.display_text) < 500
 29            and length(body.current_thread.text) == 0
 30          )
 31          and strings.ilike(body.html.display_text,
 32                            "*picture*",
 33                            "*photo*",
 34                            "*image*",
 35                            "*sad news*"
 36          )
 37        )
 38        or (
 39          (length(body.plain.raw) < 500 and length(body.current_thread.text) == 0)
 40          and strings.ilike(body.plain.raw,
 41                            "*picture*",
 42                            "*photo*",
 43                            "*image*",
 44                            "*sad news*"
 45          )
 46          and not strings.istarts_with(body.plain.raw, "[cid:image")
 47        )
 48        or (
 49          length(body.current_thread.text) < 500
 50          and strings.ilike(body.current_thread.text,
 51                            "*picture*",
 52                            "*photo*",
 53                            "*image*",
 54                            "*sad news*"
 55          )
 56        )
 57      )
 58      or (
 59        body.plain.raw is not null
 60        and body.html.display_text is null
 61        and length(body.current_thread.text) == 0
 62        and strings.ilike(body.plain.raw,
 63                          "*picture*",
 64                          "*photo*",
 65                          "*image*",
 66                          "*sad news*",
 67                          "*pics*"
 68        )
 69        and not strings.istarts_with(body.plain.raw, "[cid:image")
 70        and strings.icontains(subject.subject, sender.display_name)
 71      )
 72    )
 73    and length(body.links) < 5
 74    and any(body.links,
 75            (
 76              (
 77                network.whois(.href_url.domain).days_old < 30
 78                or not network.whois(.href_url.domain).found
 79                or network.whois(.href_url.domain).found is null
 80              )
 81              and .href_url.domain.root_domain != sender.email.domain.root_domain
 82            )
 83            or (
 84              length(.display_text) == 1
 85              and .href_url.domain.root_domain in ("facebook.com", "youtube.com")
 86            )
 87    )
 88  )
 89  and (
 90    (
 91      (
 92        length(headers.references) > 0
 93        or not any(headers.hops,
 94                   any(.fields, strings.ilike(.name, "In-Reply-To"))
 95        )
 96      )
 97      and not (
 98        (
 99          strings.istarts_with(subject.subject, "RE:")
100          or strings.istarts_with(subject.subject, "R:")
101          or strings.istarts_with(subject.subject, "ODG:")
102          or strings.istarts_with(subject.subject, "答复:")
103          or strings.istarts_with(subject.subject, "AW:")
104          or strings.istarts_with(subject.subject, "TR:")
105          or strings.istarts_with(subject.subject, "FWD:")
106          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
107        )
108      )
109    )
110    or length(headers.references) == 0
111  )  
112
113attack_types:
114  - "Spam"
115tactics_and_techniques:
116  - "Evasion"
117  - "Social engineering"
118detection_methods:
119  - "Content analysis"
120  - "Sender analysis"
121  - "URL analysis"
122  - "Whois"
123id: "eb086f7d-3ad7-52cd-8e16-3ce08726b9ea"
to-top