Fake scan-to-email message

name: "Fake scan-to-email message"
description: "Message resembles an email from a scan-to-email service or device, but does not contain any attachments, instead linking to an unknown domain."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and length(attachments) == 0
  and 0 < length(body.links) < 3
  and strings.ilike(subject.subject, "*message from*")
  and (
    (
      strings.ilike(body.current_thread.text, "*scan date*", "*was sent from*")
      and not strings.ilike(body.current_thread.text, "*unmonitored*")
    )
    or (
      //
      // This rule makes use of a beta feature and is subject to change without notice
      // using the beta feature in custom rules is not suggested until it has been formally released
      //
      strings.ilike(beta.ocr(file.message_screenshot()).text,
                    "*scan date*",
                    "*was sent from*"
      )
      and not strings.ilike(beta.ocr(file.message_screenshot()).text,
                            "*unmonitored*"
      )
    )
  )
  and (
    any(body.links, .href_url.domain.root_domain in~ $free_file_hosts)
    or any(body.links, .display_url.url != .href_url.url)
    or any(body.links, .display_url.url is null)
  )
  and all(body.links,
          .href_url.domain.domain not in~ $org_domains
          and .href_url.domain.domain not in ("aka.ms")
  )
  and sender.email.domain.domain not in~ $org_domains
  and (
    not profile.by_sender().solicited
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  and not profile.by_sender().any_messages_benign
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Free file host"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Optical Character Recognition"
  - "Sender analysis"
  - "URL analysis"
id: "78851fbe-9481-5fda-b472-f0b8dfb35e1a"