• Sublime Core Feed
Medium Severity

Attachment: Fake attachment image lure

Labels

Credential Phishing
Malware/Ransomware
Evasion
Image as content
Social engineering
File analysis
Natural Language Understanding
Optical Character Recognition

Description

Message (or attached message) contains an image impersonating an Outlook attachment button.

References

No references.

Sublime Security
Created Dec 11th, 2023 • Last updated Sep 22nd, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(attachments) < 15
and (
  // fake file attachment preview in original email
  any(attachments,
      .file_type in $file_types_images
      and (
        any(ml.logo_detect(.).brands,
            .name == "FakeAttachment" and .confidence == "high"
        )
        or (
          .size < 30000
          and any(file.explode(.),
                  strings.icontains(.scan.ocr.raw, 'sent you')
                  // the attached image includes a filesize string
                  and regex.icontains(.scan.ocr.raw,
                                      '\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
                  )
          )
        )
      )
  )
  // message body/screenhot
  or any(ml.logo_detect(file.message_screenshot()).brands,
         .name == "FakeAttachment" and .confidence == "high"
  )
  
  // Suspicious table with file size indicators 
  or regex.contains(body.html.raw,
                    "<table[^>]*>.*?<img[^>]+src=[\"']cid:[^\"']+[\"'][^>]*>.*?\\.(pdf|doc(x)|xls(x)?).*?<font[^>]*>\\s*\\d{1,4}\\.\\d{1,2}\\s*k[bB]"
  )

  // fake file attachment preview in attached EML
  or any(attachments,
         (.content_type == "message/rfc822" or .file_extension == "eml")
         and any(file.parse_eml(.).attachments,
                 .file_type in $file_types_images
                 and (
                   any(ml.logo_detect(.).brands, .name == "FakeAttachment")
                   or (
                     .size < 30000
                     and any(file.explode(.),
                             strings.icontains(.scan.ocr.raw, 'sent you')
                             // the attached image includes a filesize string
                             and regex.icontains(.scan.ocr.raw,
                                                 '\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
                             )
                     )
                   )
                 )
         )
  )
)
and not (
  (
    strings.istarts_with(subject.subject, "RE:")
    or strings.istarts_with(subject.subject, "R:")
    or strings.istarts_with(subject.subject, "ODG:")
    or strings.istarts_with(subject.subject, "答复:")
    or strings.istarts_with(subject.subject, "AW:")
    or strings.istarts_with(subject.subject, "TR:")
    or strings.istarts_with(subject.subject, "FWD:")
    or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
    or regex.imatch(subject.subject,
                    '^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
    )
  )
  and (
    length(headers.references) > 0
    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  sender.email.domain.root_domain not in ("sharepointonline.com")
  or not headers.auth_summary.dmarc.pass
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started