sublimehighRule

Attachment: Employment contract update with suspicious file naming

Detects messages containing two attachments where one is a PowerPoint file with suspicious character substitution in the filename ('Empl0yment' using zero instead of 'o') and body text claiming an employment contract has been updated.

MITRE ATT&CK

T1566.001 T1204.002 T1486 T1036 T1027 T1566 T1598

defense-evasioninitial-access

Detection Query

type.inbound
// two attachments, one png and one pptx
and length(attachments) == 2
// the pptx has Empl0yment in name
and length(filter(attachments, strings.contains(.file_name, "Empl0yment"))) == 1
and strings.icontains(body.current_thread.text,
                      "Your Employment Contract has being updated"
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Attachment: Employment contract update with suspicious file naming"
description: "Detects messages containing two attachments where one is a PowerPoint file with suspicious character substitution in the filename ('Empl0yment' using zero instead of 'o') and body text claiming an employment contract has been updated."
type: "rule"
severity: "high"
source: |
  type.inbound
  // two attachments, one png and one pptx
  and length(attachments) == 2
  // the pptx has Empl0yment in name
  and length(filter(attachments, strings.contains(.file_name, "Empl0yment"))) == 1
  and strings.icontains(body.current_thread.text,
                        "Your Employment Contract has being updated"
  )
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "File analysis"
id: "8bdcd2da-c970-5b55-81f8-1b95d3d9dce0"