Credential phishing: Image as content, short or no body contents

name: "Credential phishing: Image as content, short or no body contents"
description: |
  This rule identifies incoming messages with minimal links, all image attachments and either empty, brief
  or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition
  to high-confidence credit theft intentions.
type: "rule"
severity: "medium"
source: |
  type.inbound
  and length(body.links) < 2
  and 0 < (length(attachments)) < 3
  and (
    // body text is very short
    (
      0 <= (length(body.current_thread.text)) < 10
      or body.current_thread.text is null
    )
    or (
      length(body.current_thread.text) < 900
      // or body is most likely all warning banner (text contains the sender and common warning banner language)
      and (
        (
          strings.contains(body.current_thread.text, sender.email.email)
          and strings.contains(body.current_thread.text, 'caution')
        )
        or regex.icontains(body.current_thread.text,
                           "intended recipient's use only|external email|sent from outside|you don't often"
        )
      )
    )
  )
  and (
    all(attachments,
        (.file_type in $file_types_images)
        and (
          any(file.explode(.),
              any(.scan.exiftool.fields, .value == "Truncated PNG image")
              or (
                any(ml.logo_detect(..).brands, .name is not null)
                and any(ml.nlu_classifier(.scan.ocr.raw).intents,
                        .name == "cred_theft" and .confidence == "high"
                )
              )
          )
        )
    )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Image as content"
detection_methods:
  - "Computer Vision"
  - "Content analysis"
  - "File analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Optical Character Recognition"
id: "01313f38-d0d1-5240-b407-8f9158639277"