• Sublime Core Feed
Medium Severity

Attachment: Fake attachment image lure

Labels

Description

Message (or attached message) contains an image impersonating an Outlook attachment button.

References

No references.

Sublime Security
Created Dec 11th, 2023 • Last updated Feb 16th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  // fake file attachment preview in original email
  any(attachments,
      .file_type in $file_types_images
      and any(ml.logo_detect(.).brands, .name == "FakeAttachment")
  )
  // fake file attachment preview in attached EML
  or any(attachments,
         (.content_type == "message/rfc822" or .file_extension == "eml")
         and any(file.parse_eml(.).attachments,
                 .file_type in $file_types_images
                 and any(ml.logo_detect(.).brands, .name == "FakeAttachment")
         )
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started