Medium Severity
Credential Phishing: Image as content, short or no body contents
Description
This rule identifies incoming messages with minimal links, all image attachments and either empty, brief or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition to high-confidence credit theft intentions.
References
No references.
Sublime Security
Created Sep 8th, 2023 • Last updated Sep 8th, 2023
Feed Source
Sublime Core Feed
Source
type.inbound
and length(body.links) < 2
and 0 < (length(attachments)) < 3
and (
// body text is very short
(
0 <= (length(body.current_thread.text)) < 10 or body.current_thread.text is null
)
or (
length(body.current_thread.text) < 900
// or body is most likely all warning banner (text contains the sender and common warning banner language)
and (
(
strings.contains(body.current_thread.text, sender.email.email)
and strings.contains(body.current_thread.text, 'caution')
)
or regex.icontains(body.current_thread.text,
"intended recipient's use only|external email|sent from outside|you don't often"
)
)
)
)
and (
all(attachments,
(.file_type in $file_types_images)
and (
any(file.explode(.),
any(.scan.exiftool.fields, .value == "Truncated PNG image")
or (
any(ml.logo_detect(..).brands, .name is not null)
and any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence == "high"
)
)
)
)
)
)
Playground
Test against your own EMLs or sample data.