Medium Severity
Attachment: Fake attachment image lure
Description
Message (or attached message) contains an image impersonating an Outlook attachment button.
References
No references.
Sublime Security
Created Dec 11th, 2023 • Last updated Jul 19th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and (
// fake file attachment preview in original email
any(attachments,
.file_type in $file_types_images
and (
any(ml.logo_detect(.).brands, .name == "FakeAttachment")
or (
.size < 30000
and any(file.explode(.),
strings.icontains(.scan.ocr.raw, 'sent you')
// the attached image includes a filesize string
and regex.icontains(.scan.ocr.raw,
'\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
)
)
)
)
)
// fake file attachment preview in attached EML
or any(attachments,
(.content_type == "message/rfc822" or .file_extension == "eml")
and any(file.parse_eml(.).attachments,
.file_type in $file_types_images
and (
any(ml.logo_detect(.).brands, .name == "FakeAttachment")
or (
.size < 30000
and any(file.explode(.),
strings.icontains(.scan.ocr.raw, 'sent you')
// the attached image includes a filesize string
and regex.icontains(.scan.ocr.raw,
'\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
)
)
)
)
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
Playground
Test against your own EMLs or sample data.