Spam: Fake photo share
Message contains pretexting language about sharing photos ("found these photos and thought you'd like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.
Sublime rule (View on GitHub)
1name: "Spam: Fake photo share"
2description: 'Message contains pretexting language about sharing photos ("found these photos and thought you''d like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.'
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and (
8 (
9 (length(body.plain.raw) < 500 and length(body.current_thread.text) == 0)
10 or (
11 length(body.html.display_text) < 500
12 and length(body.current_thread.text) == 0
13 )
14 or (length(body.current_thread.text) < 500)
15 )
16 and (
17 strings.ilike(subject.subject, "*picture*", "*photo*", "*image*")
18 or strings.icontains(subject.subject, sender.display_name)
19 or (
20 length(body.html.display_text) < 500
21 and strings.ilike(body.html.display_text,
22 "*picture*",
23 "*photo*",
24 "*image*"
25 )
26 )
27 or strings.ilike(body.plain.raw, "*picture*", "*photo*", "*image*")
28 or strings.ilike(body.current_thread.text,
29 "*picture*",
30 "*photo*",
31 "*image*"
32 )
33 )
34 )
35 and length(body.links) < 5
36 and any(body.links,
37 (
38 network.whois(.href_url.domain).days_old < 30
39 and .display_text is not null
40 and .href_url.domain.root_domain != sender.email.domain.root_domain
41 )
42 or (
43 length(.display_text) == 1
44 and .href_url.domain.root_domain in ("facebook.com", "youtube.com")
45 )
46 )
47
48attack_types:
49 - "Spam"
50tactics_and_techniques:
51 - "Evasion"
52 - "Social engineering"
53detection_methods:
54 - "Content analysis"
55 - "Sender analysis"
56 - "URL analysis"
57 - "Whois"
58id: "eb086f7d-3ad7-52cd-8e16-3ce08726b9ea"