Spam: Fake photo share

Message contains pretexting language about sharing photos ("found these photos and thought you'd like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.

Sublime rule (View on GitHub)

 1name: "Spam: Fake photo share"
 2description: 'Message contains pretexting language about sharing photos ("found these photos and thought you''d like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.'
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      (length(body.plain.raw) < 500 and length(body.current_thread.text) == 0)
10      or (
11        length(body.html.display_text) < 500
12        and length(body.current_thread.text) == 0
13      )
14      or (length(body.current_thread.text) < 500)
15    )
16    and (
17      strings.ilike(subject.subject, "*picture*", "*photo*", "*image*")
18      or strings.icontains(subject.subject, sender.display_name)
19      or (
20        strings.ilike(body.html.display_text, "*picture*", "*photo*", "*image*")
21        or strings.ilike(body.plain.raw, "*picture*", "*photo*", "*image*")
22        or strings.ilike(body.current_thread.text,
23                         "*picture*",
24                         "*photo*",
25                         "*image*"
26        )
27      )
28    )
29  )
30  and length(body.links) < 5
31  and any(body.links,
32          (
33            network.whois(.href_url.domain).days_old < 30
34            and .href_url.domain.root_domain != sender.email.domain.root_domain
35          )
36          or (
37            length(.display_text) == 1
38            and .href_url.domain.root_domain == "facebook.com"
39          )
40  )  
41
42attack_types:
43  - "Spam"
44tactics_and_techniques:
45  - "Evasion"
46  - "Social engineering"
47detection_methods:
48  - "Content analysis"
49  - "Sender analysis"
50  - "URL analysis"
51  - "Whois"
52id: "eb086f7d-3ad7-52cd-8e16-3ce08726b9ea"
to-top