EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Attachment: Suspicious employee policy update document lure

Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and match similar update-related terminology. This pattern has been observed used to delivery credential phishing via QR codes.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
initial-accessdefense-evasion

Detection Query

type.inbound
// NOTE: This rule is designed for these values to match/sync subject.base and file names
and (
  // the subject contains pay related items
  (
    strings.icontains(subject.base, 'salary')
    or regex.icontains(subject.base, '\bpay(?:out|roll|\b)')
    or strings.icontains(subject.base, 'remuneration')
    or strings.icontains(subject.base, 'bonus')
    or strings.icontains(subject.base, 'incentive')
    or strings.icontains(subject.base, 'merit\b')
    or strings.icontains(subject.base, 'handbook')
    or strings.icontains(subject.base, 'benefits')
    or strings.icontains(subject.base, 'earnings')
    or strings.icontains(subject.base, 'contract')
    or regex.icontains(subject.base, 'empl[o0]yment')
  )
  and (
    strings.icontains(subject.base, 'review')
    or strings.icontains(subject.base, 'breakdown')
    or strings.icontains(subject.base, 'Access Your')
    or strings.icontains(subject.base, 'evaluation')
    or regex.icontains(subject.base, 'eval\b')
    or strings.icontains(subject.base, 'assessment')
    or strings.icontains(subject.base, 'appraisal')
    or strings.icontains(subject.base, 'feedback')
    or strings.icontains(subject.base, 'performance')
    or strings.icontains(subject.base, 'adjustment')
    or strings.icontains(subject.base, 'qualification')
    or strings.icontains(subject.base, 'increase')
    or strings.icontains(subject.base, 'raise')
    or strings.icontains(subject.base, 'change')
    or strings.icontains(subject.base, 'modification')
    or strings.icontains(subject.base, 'distribution')
    or strings.icontains(subject.base, 'details')
    or regex.icontains(subject.base, 'revis(?:ed|ion)')
    or regex.icontains(subject.base, 'amend(?:ed|ment)')
    or regex.icontains(subject.base, 'update(?:d| to)')
    or strings.icontains(subject.base, 'plan')
    or strings.icontains(subject.base, 'notification')
  )
)
and 0 < length(attachments) <= 3
and any(attachments,
        .file_extension in ("doc", "docx", "docm", "pdf", "pptx")
        and (
          strings.icontains(.file_name, 'salary')
          or strings.icontains(.file_name, 'compensation')
          or regex.icontains(.file_name, '\bpay(?:roll|\b)')
          or strings.icontains(.file_name, 'bonus')
          or strings.icontains(.file_name, 'incentive')
          or strings.icontains(.file_name, 'merit\b')
          or strings.icontains(.file_name, 'handbook')
          or strings.icontains(.file_name, 'benefits')
          or regex.icontains(.file_name, 'empl[o0]yment')
        )
        and (
          strings.icontains(.file_name, 'review')
          or strings.icontains(.file_name, 'evaluation')
          or regex.icontains(.file_name, 'eval\b')
          or strings.icontains(.file_name, 'assessment')
          or strings.icontains(.file_name, 'appraisal')
          or strings.icontains(.file_name, 'feedback')
          or strings.icontains(.file_name, 'performance')
          or strings.icontains(.file_name, 'adjustment')
          or strings.icontains(.file_name, 'increase')
          or strings.icontains(.file_name, 'increment')
          or strings.icontains(.file_name, 'raise')
          or strings.icontains(.file_name, 'change')
          or strings.icontains(.file_name, 'modification')
          or strings.icontains(.file_name, 'distribution')
          or strings.icontains(.file_name, 'statement')
          or regex.icontains(.file_name, 'revis(?:ed|ion)')
          or regex.icontains(.file_name, 'amend(?:ed|ment)')
          or regex.icontains(.file_name, 'adjust(?:ed|ment)')
          or regex.icontains(.file_name, 'update(?:d| to)')
          or regex.icontains(.file_name,
                             '(January|February|March|April|May|June|July|August|September|October|November|December)\s20[2,3]{1}\d{1}'
          )
          or strings.icontains(.file_name, 'contract')
          or (
            // file name contains recipient's email
            any(recipients.to,
                strings.icontains(..file_name, .email.email)
                and .email.domain.valid
            )
          )
        )
)
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: Suspicious employee policy update document lure"
description: "Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and match similar update-related terminology.  This pattern has been observed used to delivery credential phishing via QR codes."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // NOTE: This rule is designed for these values to match/sync subject.base and file names
  and (
    // the subject contains pay related items
    (
      strings.icontains(subject.base, 'salary')
      or regex.icontains(subject.base, '\bpay(?:out|roll|\b)')
      or strings.icontains(subject.base, 'remuneration')
      or strings.icontains(subject.base, 'bonus')
      or strings.icontains(subject.base, 'incentive')
      or strings.icontains(subject.base, 'merit\b')
      or strings.icontains(subject.base, 'handbook')
      or strings.icontains(subject.base, 'benefits')
      or strings.icontains(subject.base, 'earnings')
      or strings.icontains(subject.base, 'contract')
      or regex.icontains(subject.base, 'empl[o0]yment')
    )
    and (
      strings.icontains(subject.base, 'review')
      or strings.icontains(subject.base, 'breakdown')
      or strings.icontains(subject.base, 'Access Your')
      or strings.icontains(subject.base, 'evaluation')
      or regex.icontains(subject.base, 'eval\b')
      or strings.icontains(subject.base, 'assessment')
      or strings.icontains(subject.base, 'appraisal')
      or strings.icontains(subject.base, 'feedback')
      or strings.icontains(subject.base, 'performance')
      or strings.icontains(subject.base, 'adjustment')
      or strings.icontains(subject.base, 'qualification')
      or strings.icontains(subject.base, 'increase')
      or strings.icontains(subject.base, 'raise')
      or strings.icontains(subject.base, 'change')
      or strings.icontains(subject.base, 'modification')
      or strings.icontains(subject.base, 'distribution')
      or strings.icontains(subject.base, 'details')
      or regex.icontains(subject.base, 'revis(?:ed|ion)')
      or regex.icontains(subject.base, 'amend(?:ed|ment)')
      or regex.icontains(subject.base, 'update(?:d| to)')
      or strings.icontains(subject.base, 'plan')
      or strings.icontains(subject.base, 'notification')
    )
  )
  and 0 < length(attachments) <= 3
  and any(attachments,
          .file_extension in ("doc", "docx", "docm", "pdf", "pptx")
          and (
            strings.icontains(.file_name, 'salary')
            or strings.icontains(.file_name, 'compensation')
            or regex.icontains(.file_name, '\bpay(?:roll|\b)')
            or strings.icontains(.file_name, 'bonus')
            or strings.icontains(.file_name, 'incentive')
            or strings.icontains(.file_name, 'merit\b')
            or strings.icontains(.file_name, 'handbook')
            or strings.icontains(.file_name, 'benefits')
            or regex.icontains(.file_name, 'empl[o0]yment')
          )
          and (
            strings.icontains(.file_name, 'review')
            or strings.icontains(.file_name, 'evaluation')
            or regex.icontains(.file_name, 'eval\b')
            or strings.icontains(.file_name, 'assessment')
            or strings.icontains(.file_name, 'appraisal')
            or strings.icontains(.file_name, 'feedback')
            or strings.icontains(.file_name, 'performance')
            or strings.icontains(.file_name, 'adjustment')
            or strings.icontains(.file_name, 'increase')
            or strings.icontains(.file_name, 'increment')
            or strings.icontains(.file_name, 'raise')
            or strings.icontains(.file_name, 'change')
            or strings.icontains(.file_name, 'modification')
            or strings.icontains(.file_name, 'distribution')
            or strings.icontains(.file_name, 'statement')
            or regex.icontains(.file_name, 'revis(?:ed|ion)')
            or regex.icontains(.file_name, 'amend(?:ed|ment)')
            or regex.icontains(.file_name, 'adjust(?:ed|ment)')
            or regex.icontains(.file_name, 'update(?:d| to)')
            or regex.icontains(.file_name,
                               '(January|February|March|April|May|June|July|August|September|October|November|December)\s20[2,3]{1}\d{1}'
            )
            or strings.icontains(.file_name, 'contract')
            or (
              // file name contains recipient's email
              any(recipients.to,
                  strings.icontains(..file_name, .email.email)
                  and .email.domain.valid
              )
            )
          )
  )
  and not (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "PDF"
  - "Social engineering"
  - "Evasion"
detection_methods:
  - "Content analysis"
  - "File analysis"
  - "Sender analysis"
id: "a8bf1fd1-d9fa-572d-8957-51d6025a5248"