Spam: Item Giveaway Spam Template

This detection rule matches on observed html templates impersonating multiple popular brands used to deliver spam. Often the lure leverages a theme of item giveaways or a chance to win an item for completing a survey.

Sublime rule (View on GitHub)

 1name: "Spam: Item Giveaway Spam Template"
 2description: "This detection rule matches on observed html templates impersonating multiple popular brands used to deliver spam.  Often the lure leverages a theme of item giveaways or a chance to win an item for completing a survey."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and (not profile.by_sender().solicited or sender.email.email == "")
 8  // not high trust sender domains
 9  and (
10    (
11      sender.email.domain.root_domain in $high_trust_sender_root_domains
12      and not headers.auth_summary.dmarc.pass
13    )
14    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
15  )
16  and regex.icontains(body.html.raw,
17                      '<(?:div|body)[^\>]*\>\s*<a href=(?:\x22[^\>]+)\>\s*[^\n]*<br>\s*<img src=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\><\/a>\s*<br>\s*<a href=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\><\/a>\s*<br>',
18                      '<center>(?:<[^\>]+>)*<a href=(?:\x22[^\>]+)\>\s*[^\n]*<img src=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\>\s*<br>\s*\<img src=(?:\x22[^\>]+)\><\/a>'
19  )  
20attack_types:
21  - "Spam"
22tactics_and_techniques:
23  - "Image as content"
24detection_methods:
25  - "Content analysis"
26  - "HTML analysis"
27  - "Sender analysis"
28  - "Exif analysis"
29id: "06a5f93b-dff1-583a-a3b4-dd0182c11bb7"
to-top