Medium Severity
Fake scan-to-email message
Description
Message resembles an email from a scan-to-email service or device, but does not contain any attachments, instead linking to an unknown domain.
References
No references.
Sublime Security
Created Jan 30th, 2024 • Last updated Jun 7th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and length(attachments) == 0
and 0 < length(body.links) < 3
and strings.ilike(subject.subject, "*message from*")
and (
(
strings.ilike(body.current_thread.text, "*scan date*", "*was sent from*")
and not strings.ilike(body.current_thread.text, "*unmonitored*")
)
or any(file.explode(beta.message_screenshot()),
strings.ilike(.scan.ocr.raw, "*scan date*", "*was sent from*")
and not strings.ilike(.scan.ocr.raw, "*unmonitored*")
)
)
and (
any(body.links, .href_url.domain.root_domain in~ $free_file_hosts)
or any(body.links, .display_url.url != .href_url.url)
or any(body.links, .display_url.url is null)
)
and all(body.links,
.href_url.domain.domain not in~ $org_domains
and .href_url.domain.domain not in ("aka.ms")
)
and sender.email.domain.domain not in~ $org_domains
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
and not profile.by_sender().any_false_positives
Playground
Test against your own EMLs or sample data.