• Sublime Core Feed
High Severity

Attachment: Fake Slack installer

Labels

Description

HTML attachment contains a Slack logo, request language, and a link to an executable. Observed in the wild.

References

No references.

Sublime Security
Created Oct 17th, 2023 • Last updated Nov 29th, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  any(attachments,
      (
        .file_extension in~ ("html", "htm", "shtml", "dhtml")
        or .file_type == "html"
        or .content_type == "text/html"
      )
      and any(ml.logo_detect(file.html_screenshot(.)).brands,
              .name == "Slack" and .confidence in ("medium", "high")
      )
      and any(ml.nlu_classifier(file.parse_html(.).display_text).entities,
              .name == "request" and .text =~ "download"
      )
      and any(file.explode(.),
              any(.scan.url.urls,
                  strings.iends_with(.path, ".exe")
                  and .domain.root_domain not in $org_domains
              )
      )
  )
)

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started