Inline image as message with attachment or link

name: "Inline image as message with attachment or link"
description: |
  Using inline images in lieu of HTML or text content in the message is a known
  technique used to bypass content based scanning engines.

  We've observed this technique used to deliver malware via attachments and phish credentials.
type: "rule"
severity: "low"
source: |
  type.inbound
  and length(body.html.raw) < 200
  and length(body.links) > 0
  and (
    // as of 20220116 there's a link parsing bug with .png inline images, so ignore those
    any(body.links, not strings.ilike(.href_url.url, "*.png"))
  
    // cid images are treated as attachments, so we're looking for more than 1
    or (
      length(attachments) > 1
      and any(attachments, .file_type not in $file_types_images)
    )
  )
  and strings.ilike(body.html.raw, "*img*cid*")
  and (
    profile.by_sender().prevalence in ("new", "outlier")
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Image as content"
detection_methods:
  - "Content analysis"
  - "HTML analysis"
  - "URL analysis"
id: "823d7107-2605-5671-9acb-ba172d071671"