Spam: Item Giveaway Spam Template
This detection rule matches on observed html templates impersonating multiple popular brands used to deliver spam. Often the lure leverages a theme of item giveaways or a chance to win an item for completing a survey.
Sublime rule (View on GitHub)
1name: "Spam: Item Giveaway Spam Template"
2description: "This detection rule matches on observed html templates impersonating multiple popular brands used to deliver spam. Often the lure leverages a theme of item giveaways or a chance to win an item for completing a survey."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and (not profile.by_sender().solicited or sender.email.email == "")
8 // not high trust sender domains
9 and (
10 (
11 sender.email.domain.root_domain in $high_trust_sender_root_domains
12 and not headers.auth_summary.dmarc.pass
13 )
14 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
15 )
16 and regex.icontains(body.html.raw,
17 '<(?:div|body)[^\>]*\>\s*<a href=(?:\x22[^\>]+)\>\s*[^\n]*<br>\s*<img src=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\><\/a>\s*<br>\s*<a href=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\><\/a>\s*<br>',
18 '<center>(?:<[^\>]+>)*<a href=(?:\x22[^\>]+)\>\s*[^\n]*<img src=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\>\s*<br>\s*\<img src=(?:\x22[^\>]+)\><\/a>'
19 )
20attack_types:
21 - "Spam"
22tactics_and_techniques:
23 - "Image as content"
24detection_methods:
25 - "Content analysis"
26 - "HTML analysis"
27 - "Sender analysis"
28 - "Exif analysis"
29id: "06a5f93b-dff1-583a-a3b4-dd0182c11bb7"