Spam: Fake photo share

calendar Apr 16, 2025  ·
Share on: linkedin copy

Message contains pretexting language about sharing photos ("found these photos and thought you'd like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.

Sublime rule (View on GitHub)

  1name: "Spam: Fake photo share"
  2description: 'Message contains pretexting language about sharing photos ("found these photos and thought you''d like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.'
  3type: "rule"
  4severity: "low"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      (
 10        (
 11          (length(body.plain.raw) < 500 and length(body.current_thread.text) == 0)
 12          or (
 13            length(body.html.display_text) < 500
 14            and length(body.current_thread.text) == 0
 15          )
 16          or (length(body.current_thread.text) < 500)
 17        )
 18        and strings.ilike(subject.subject,
 19                          "*picture*",
 20                          "*photo*",
 21                          "*image*",
 22                          "*sad news*",
 23                          "*sad announcement*",
 24                          "*new pics*"
 25        )
 26      )
 27      or (
 28        (
 29          (
 30            length(body.html.display_text) < 500
 31            and length(body.current_thread.text) == 0
 32          )
 33          and strings.ilike(body.html.display_text,
 34                            "*picture*",
 35                            "*photo*",
 36                            "*image*",
 37                            "*sad news*",
 38                            "*sad announcement*",
 39                            "*new pics*"
 40          )
 41        )
 42        or (
 43          (length(body.plain.raw) < 500 and length(body.current_thread.text) == 0)
 44          and strings.ilike(body.plain.raw,
 45                            "*picture*",
 46                            "*photo*",
 47                            "*image*",
 48                            "*sad news*",
 49                            "*sad announcement*",
 50                            "*new pics*"
 51          )
 52          and not strings.icontains(body.plain.raw, "[cid:image")
 53        )
 54        or (
 55          length(body.current_thread.text) < 500
 56          and strings.ilike(body.current_thread.text,
 57                            "*picture*",
 58                            "*photo*",
 59                            "*image*",
 60                            "*sad news*",
 61                            "*sad announcement*",
 62                            "*new pics*"
 63          )
 64        )
 65      )
 66      or (
 67        body.plain.raw is not null
 68        and body.html.display_text is null
 69        and (
 70          length(body.current_thread.text) == 0
 71          or (
 72            length(body.current_thread.text) < 500
 73            // fake forward indicator in the plain text body
 74            and (
 75              regex.contains(body.plain.raw,
 76                             'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote'
 77              )
 78              or strings.icontains(body.plain.raw, 'Original Message')
 79            )
 80            and not regex.contains(body.current_thread.text,
 81                                   'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote'
 82            )
 83            and not strings.icontains(body.current_thread.text, 'Original Message')
 84            and not any(headers.hops, any(.fields, .name == "Resent-From"))
 85          )
 86        )
 87        and strings.ilike(body.plain.raw,
 88                          "*picture*",
 89                          "*photo*",
 90                          "*image*",
 91                          "*sad news*",
 92                          "*sad announcement*",
 93                          "*pics*"
 94        )
 95        and not strings.istarts_with(body.plain.raw, "[cid:image")
 96        and strings.icontains(subject.subject, sender.display_name)
 97      )
 98    )
 99    and length(body.links) < 5
100    and any(body.links,
101            (
102              (
103                network.whois(.href_url.domain).days_old < 30
104                or not network.whois(.href_url.domain).found
105                or network.whois(.href_url.domain).found is null
106              )
107              and .href_url.domain.root_domain != sender.email.domain.root_domain
108            )
109            or (
110              length(.display_text) == 1
111              and .href_url.domain.root_domain in ("facebook.com", "youtube.com")
112            )
113    )
114  )
115  and (
116    (
117      (
118        length(headers.references) > 0
119        or not any(headers.hops,
120                   any(.fields, strings.ilike(.name, "In-Reply-To"))
121        )
122      )
123      and not (
124        (
125          strings.istarts_with(subject.subject, "RE:")
126          or strings.istarts_with(subject.subject, "R:")
127          or strings.istarts_with(subject.subject, "ODG:")
128          or strings.istarts_with(subject.subject, "答复:")
129          or strings.istarts_with(subject.subject, "AW:")
130          or strings.istarts_with(subject.subject, "TR:")
131          or strings.istarts_with(subject.subject, "FWD:")
132          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
133        )
134      )
135    )
136    or length(headers.references) == 0
137  )  
138
139attack_types:
140  - "Spam"
141tactics_and_techniques:
142  - "Evasion"
143  - "Social engineering"
144detection_methods:
145  - "Content analysis"
146  - "Sender analysis"
147  - "URL analysis"
148  - "Whois"
149id: "eb086f7d-3ad7-52cd-8e16-3ce08726b9ea"
to-top