← Back to Explore
sublimemediumRule
Attachment: Fake attachment image lure
Message (or attached message) contains an image impersonating an Outlook attachment button.
Detection Query
type.inbound
and length(attachments) < 15
and (
// fake file attachment preview in original email
any(attachments,
.file_type in $file_types_images
and (
any(ml.logo_detect(.).brands,
.name == "FakeAttachment" and .confidence == "high"
)
or (
.size < 30000
and any(file.explode(.),
strings.icontains(.scan.ocr.raw, 'sent you')
// the attached image includes a filesize string
and regex.icontains(.scan.ocr.raw,
'\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
)
)
)
)
)
// message body/screenhot
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "FakeAttachment" and .confidence == "high"
)
// Suspicious table with file size indicators
or regex.contains(body.html.raw,
"<table[^>]*>.*?<img[^>]+src=[\"']cid:[^\"']+[\"'][^>]*>.*?\\.(pdf|doc(x)|xls(x)?).*?<font[^>]*>\\s*\\d{1,4}\\.\\d{1,2}\\s*k[bB]"
)
// fake file attachment preview in attached EML
or any(attachments,
(.content_type == "message/rfc822" or .file_extension == "eml")
and any(file.parse_eml(.).attachments,
.file_type in $file_types_images
and (
any(ml.logo_detect(.).brands, .name == "FakeAttachment")
or (
.size < 30000
and any(file.explode(.),
strings.icontains(.scan.ocr.raw, 'sent you')
// the attached image includes a filesize string
and regex.icontains(.scan.ocr.raw,
'\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
)
)
)
)
)
)
)
and not (
(
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject, "答复:")
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
or regex.imatch(subject.subject,
'^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
)
)
and (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
sender.email.domain.root_domain not in ("sharepointonline.com")
or not headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Suspicious attachmentSuspicious content
Raw Content
name: "Attachment: Fake attachment image lure"
description: |
Message (or attached message) contains an image impersonating an Outlook attachment button.
type: "rule"
severity: "medium"
source: |
type.inbound
and length(attachments) < 15
and (
// fake file attachment preview in original email
any(attachments,
.file_type in $file_types_images
and (
any(ml.logo_detect(.).brands,
.name == "FakeAttachment" and .confidence == "high"
)
or (
.size < 30000
and any(file.explode(.),
strings.icontains(.scan.ocr.raw, 'sent you')
// the attached image includes a filesize string
and regex.icontains(.scan.ocr.raw,
'\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
)
)
)
)
)
// message body/screenhot
or any(ml.logo_detect(file.message_screenshot()).brands,
.name == "FakeAttachment" and .confidence == "high"
)
// Suspicious table with file size indicators
or regex.contains(body.html.raw,
"<table[^>]*>.*?<img[^>]+src=[\"']cid:[^\"']+[\"'][^>]*>.*?\\.(pdf|doc(x)|xls(x)?).*?<font[^>]*>\\s*\\d{1,4}\\.\\d{1,2}\\s*k[bB]"
)
// fake file attachment preview in attached EML
or any(attachments,
(.content_type == "message/rfc822" or .file_extension == "eml")
and any(file.parse_eml(.).attachments,
.file_type in $file_types_images
and (
any(ml.logo_detect(.).brands, .name == "FakeAttachment")
or (
.size < 30000
and any(file.explode(.),
strings.icontains(.scan.ocr.raw, 'sent you')
// the attached image includes a filesize string
and regex.icontains(.scan.ocr.raw,
'\b\d+.\d{1,2}\s?(k|m)b(\s|$)'
)
)
)
)
)
)
)
and not (
(
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject, "答复:")
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
or regex.imatch(subject.subject,
'^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
)
)
and (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
sender.email.domain.root_domain not in ("sharepointonline.com")
or not headers.auth_summary.dmarc.pass
)
tags:
- "Suspicious attachment"
- "Suspicious content"
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Image as content"
- "Social engineering"
detection_methods:
- "File analysis"
- "Natural Language Understanding"
- "Optical Character Recognition"
id: "96b8b285-2116-5e45-b0ca-57b81dc87b94"