EXPLORE
Sign In
← Back to Explore
sublimelowRule

Spam: Item giveaway spam template

This detection rule matches on observed html templates impersonating multiple popular brands used to deliver spam. Often the lure leverages a theme of item giveaways or a chance to win an item for completing a survey.

MITRE ATT&CK

T1566

Detection Query

type.inbound
and (not profile.by_sender().solicited or sender.email.email == "")
// not high trust sender domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and regex.icontains(body.html.raw,
                    '<(?:div|body)[^\>]*\>\s*<a href=(?:\x22[^\>]+)\>\s*[^\n]*<br>\s*<img src=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\><\/a>\s*<br>\s*<a href=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\><\/a>\s*<br>',
                    '<center>(?:<[^\>]+>)*<a href=(?:\x22[^\>]+)\>\s*[^\n]*<img src=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\>\s*<br>\s*\<img src=(?:\x22[^\>]+)\><\/a>'
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Spam: Item giveaway spam template"
description: "This detection rule matches on observed html templates impersonating multiple popular brands used to deliver spam.  Often the lure leverages a theme of item giveaways or a chance to win an item for completing a survey."
type: "rule"
severity: "low"
source: |
  type.inbound
  and (not profile.by_sender().solicited or sender.email.email == "")
  // not high trust sender domains
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
  and regex.icontains(body.html.raw,
                      '<(?:div|body)[^\>]*\>\s*<a href=(?:\x22[^\>]+)\>\s*[^\n]*<br>\s*<img src=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\><\/a>\s*<br>\s*<a href=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\><\/a>\s*<br>',
                      '<center>(?:<[^\>]+>)*<a href=(?:\x22[^\>]+)\>\s*[^\n]*<img src=(?:\x22[^\>]+)\>\s*\<img src=(?:\x22[^\>]+)\>\s*<br>\s*\<img src=(?:\x22[^\>]+)\><\/a>'
  )
attack_types:
  - "Spam"
tactics_and_techniques:
  - "Image as content"
detection_methods:
  - "Content analysis"
  - "HTML analysis"
  - "Sender analysis"
  - "Exif analysis"
id: "06a5f93b-dff1-583a-a3b4-dd0182c11bb7"