← Back to Explore
sublimemediumRule
Attachment: Fake scan-to-email
Message and attachment resemble an email from a scan-to-email service or device with credential theft language.
Detection Query
type.inbound
and (
length(body.current_thread.text) < 1500
// body length without disclaimer is shorter than 1500 characters
or (
any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "disclaimer"
),
.text
),
(length(body.current_thread.text) - length(.)) < 1500
)
)
)
and (
3 of (
strings.icontains(body.current_thread.text, "Number of Images:"),
strings.icontains(body.current_thread.text, "Attachment File Type:"),
strings.icontains(body.current_thread.text, "Device Model:"),
strings.icontains(body.current_thread.text, "Device Name:"),
strings.icontains(body.current_thread.text, "Resolution:"),
strings.icontains(body.current_thread.text, "File Format:"),
strings.icontains(body.current_thread.text, "Device Location:")
)
or (
3 of (
strings.ilike(body.current_thread.text, "*scan date*"),
strings.ilike(body.current_thread.text, "*was sent from*"),
strings.ilike(body.current_thread.text, "*of pages*"),
strings.ilike(body.current_thread.text, "*scanned file*"),
)
or any(file.explode(file.message_screenshot()),
3 of (
strings.ilike(body.current_thread.text, "*scan date*"),
strings.ilike(body.current_thread.text, "*was sent from*"),
strings.ilike(body.current_thread.text, "*of pages*"),
strings.ilike(body.current_thread.text, "*scanned file*"),
strings.icontains(body.current_thread.text, "Number of Images:"),
strings.icontains(body.current_thread.text,
"Attachment File Type:"
),
strings.icontains(body.current_thread.text, "Device Name:"),
strings.icontains(body.current_thread.text, "Device Location:"),
strings.icontains(body.current_thread.text, "Device Model:")
)
)
)
)
and (
(
length(filter(attachments, .file_type in ("pdf"))) == 1
and any(attachments,
.file_type == "pdf"
and (
any(file.explode(.),
(
strings.ilike(.scan.ocr.raw,
"*scan date*",
"*was sent from*",
"*of pages*",
"*verif*document*",
"*scanned file*"
)
or any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft"
)
or any(ml.logo_detect(..).brands,
.name in ("DocuSign", "Microsoft")
)
)
and length(.scan.url.urls) == 1
)
// encrypted pdf
or any(file.explode(.),
any(.scan.exiftool.fields, .key == "Encryption")
or (
.scan.entropy.entropy > 7
and any(.scan.strings.strings,
strings.icontains(., "/Encrypt")
)
)
)
)
)
)
or length(filter(attachments, .file_type in ("doc", "docx"))) == 1
)
and sender.email.domain.domain not in~ $org_domains
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Fake scan-to-email"
description: "Message and attachment resemble an email from a scan-to-email service or device with credential theft language."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
length(body.current_thread.text) < 1500
// body length without disclaimer is shorter than 1500 characters
or (
any(map(filter(ml.nlu_classifier(body.current_thread.text).entities,
.name == "disclaimer"
),
.text
),
(length(body.current_thread.text) - length(.)) < 1500
)
)
)
and (
3 of (
strings.icontains(body.current_thread.text, "Number of Images:"),
strings.icontains(body.current_thread.text, "Attachment File Type:"),
strings.icontains(body.current_thread.text, "Device Model:"),
strings.icontains(body.current_thread.text, "Device Name:"),
strings.icontains(body.current_thread.text, "Resolution:"),
strings.icontains(body.current_thread.text, "File Format:"),
strings.icontains(body.current_thread.text, "Device Location:")
)
or (
3 of (
strings.ilike(body.current_thread.text, "*scan date*"),
strings.ilike(body.current_thread.text, "*was sent from*"),
strings.ilike(body.current_thread.text, "*of pages*"),
strings.ilike(body.current_thread.text, "*scanned file*"),
)
or any(file.explode(file.message_screenshot()),
3 of (
strings.ilike(body.current_thread.text, "*scan date*"),
strings.ilike(body.current_thread.text, "*was sent from*"),
strings.ilike(body.current_thread.text, "*of pages*"),
strings.ilike(body.current_thread.text, "*scanned file*"),
strings.icontains(body.current_thread.text, "Number of Images:"),
strings.icontains(body.current_thread.text,
"Attachment File Type:"
),
strings.icontains(body.current_thread.text, "Device Name:"),
strings.icontains(body.current_thread.text, "Device Location:"),
strings.icontains(body.current_thread.text, "Device Model:")
)
)
)
)
and (
(
length(filter(attachments, .file_type in ("pdf"))) == 1
and any(attachments,
.file_type == "pdf"
and (
any(file.explode(.),
(
strings.ilike(.scan.ocr.raw,
"*scan date*",
"*was sent from*",
"*of pages*",
"*verif*document*",
"*scanned file*"
)
or any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft"
)
or any(ml.logo_detect(..).brands,
.name in ("DocuSign", "Microsoft")
)
)
and length(.scan.url.urls) == 1
)
// encrypted pdf
or any(file.explode(.),
any(.scan.exiftool.fields, .key == "Encryption")
or (
.scan.entropy.entropy > 7
and any(.scan.strings.strings,
strings.icontains(., "/Encrypt")
)
)
)
)
)
)
or length(filter(attachments, .file_type in ("doc", "docx"))) == 1
)
and sender.email.domain.domain not in~ $org_domains
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free file host"
- "Image as content"
- "PDF"
- "Social engineering"
detection_methods:
- "Content analysis"
- "File analysis"
- "Natural Language Understanding"
- "Optical Character Recognition"
- "Sender analysis"
id: "ea850cc1-b5ae-5405-a9e1-43ba91ef6e21"