sublimemediumRule

PHP Mailer with common phishing attachments

Mail coming from a PHP Mailer user agent that includes attachments with commonly used names in phishing campaigns

MITRE ATT&CK

Detection Query

type.inbound
and strings.ilike(headers.mailer, '*phpmailer*')
and any(attachments, .file_name in~ ('image.png', 'name.png', 'use.png'))

Author

vector_sec

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/headers_php_mailer.yml

Raw Content

name: "PHP Mailer with common phishing attachments"
description: |
  Mail coming from a PHP Mailer user agent that includes attachments with commonly used names in phishing campaigns
references:
  - "https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/headers_php_mailer.yml"
type: "rule"
severity: "medium"
authors:
  - twitter: "vector_sec"
source: |
  type.inbound
  and strings.ilike(headers.mailer, '*phpmailer*')
  and any(attachments, .file_name in~ ('image.png', 'name.png', 'use.png'))
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Image as content"
detection_methods:
  - "Header analysis"
id: "07e03563-88f6-5d2f-8730-7d17f860ba14"