sublimemediumRule

Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender

This rule identifies messages with an RFC822 attachment contains language indicative of suspicious file-sharing activity. It checks both the original sender and the nested sender against highly trusted domains. The original message is unsolicited, and has not been previously flagged as a false positive.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1036 T1027

defense-evasioninitial-access

Detection Query

type.inbound
and any(attachments,
        .file_type == "unknown"
        and (.content_type == "message/rfc822" or .file_extension in ('eml'))
        and regex.contains(file.parse_eml(.).subject.subject,
                           '(shared.{0,30}with you|View Document)'
        )
        and 0 < length(file.parse_eml(.).body.links) < 10
        and file.parse_eml(.).sender.email.email not in $recipient_emails

        // exclude bounce backs & read receipts
        and not strings.like(file.parse_eml(.).sender.email.local_part,
                             "*postmaster*",
                             "*mailer-daemon*",
                             "*administrator*"
        )
        and not regex.imatch(file.parse_eml(.).subject.subject,
                             "(undeliverable|read:).*"
        )
        and not any(file.parse_eml(.).attachments,
                    .content_type == "message/delivery-status"
        )

        // negate highly trusted sender domains in the nested eml unless they fail DMARC
        and (
          (
            file.parse_eml(.).sender.email.domain.root_domain in $high_trust_sender_root_domains
            and (
              any(distinct(file.parse_eml(.).headers.hops,
                           .authentication_results.dmarc is not null
                  ),
                  strings.ilike(.authentication_results.dmarc, "*fail")
              )
            )
          )
          or file.parse_eml(.).sender.email.domain.root_domain not in $high_trust_sender_root_domains
        )
        // negate org domains that passed dmarc
        and not file.parse_eml(.).sender.email.domain.root_domain in $org_domains
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender"
description: "This rule identifies messages with an RFC822 attachment contains language indicative of suspicious file-sharing activity. It checks both the original sender and the nested sender against highly trusted domains. The original message is unsolicited, and has not been previously flagged as a false positive."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(attachments,
          .file_type == "unknown"
          and (.content_type == "message/rfc822" or .file_extension in ('eml'))
          and regex.contains(file.parse_eml(.).subject.subject,
                             '(shared.{0,30}with you|View Document)'
          )
          and 0 < length(file.parse_eml(.).body.links) < 10
          and file.parse_eml(.).sender.email.email not in $recipient_emails
  
          // exclude bounce backs & read receipts
          and not strings.like(file.parse_eml(.).sender.email.local_part,
                               "*postmaster*",
                               "*mailer-daemon*",
                               "*administrator*"
          )
          and not regex.imatch(file.parse_eml(.).subject.subject,
                               "(undeliverable|read:).*"
          )
          and not any(file.parse_eml(.).attachments,
                      .content_type == "message/delivery-status"
          )
  
          // negate highly trusted sender domains in the nested eml unless they fail DMARC
          and (
            (
              file.parse_eml(.).sender.email.domain.root_domain in $high_trust_sender_root_domains
              and (
                any(distinct(file.parse_eml(.).headers.hops,
                             .authentication_results.dmarc is not null
                    ),
                    strings.ilike(.authentication_results.dmarc, "*fail")
                )
              )
            )
            or file.parse_eml(.).sender.email.domain.root_domain not in $high_trust_sender_root_domains
          )
          // negate org domains that passed dmarc
          and not file.parse_eml(.).sender.email.domain.root_domain in $org_domains
  )
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and (
        any(distinct(headers.hops, .authentication_results.dmarc is not null),
            strings.ilike(.authentication_results.dmarc, "*fail")
        )
      )
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
  and (
    not profile.by_sender().solicited
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  and not profile.by_sender().any_messages_benign

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "File analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "d96854d7-d0a2-5342-a363-cee1ad51e7c9"