← Back to Explore
sublimelowRule
Spam: Fake photo share
Message contains pretexting language about sharing photos ("found these photos and thought you'd like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.
Detection Query
type.inbound
and length(attachments) == 0
and (
(
(
(
(length(body.plain.raw) < 500 and length(body.current_thread.text) == 0)
or (
length(body.html.display_text) < 500
and length(body.current_thread.text) == 0
)
or (length(body.current_thread.text) < 500)
)
and strings.ilike(subject.subject,
"*picture*",
"*photo*",
"*image*",
"*sad news*",
"*sad announcement*",
"*sad update*",
"*new pics*"
)
)
or (
(
(
length(body.html.display_text) < 500
and length(body.current_thread.text) == 0
)
and strings.ilike(body.html.display_text,
"*picture*",
"*photo*",
"*image*",
"*sad news*",
"*sad announcement*",
"*sad update*",
"*new pics*"
)
)
or (
(length(body.plain.raw) < 500 and length(body.current_thread.text) == 0)
and strings.ilike(body.plain.raw,
"*picture*",
"*photo*",
"*image*",
"*sad news*",
"*sad announcement*",
"*sad update*",
"*new pics*"
)
and not strings.icontains(body.plain.raw, "[cid:image")
)
or (
length(body.current_thread.text) < 500
and strings.ilike(body.current_thread.text,
"*picture*",
"*photo*",
"*image*",
"*sad news*",
"*sad announcement*",
"*sad update*",
"*new pics*"
)
)
)
or (
body.plain.raw is not null
and body.html.display_text is null
and (
length(body.current_thread.text) == 0
or (
length(body.current_thread.text) < 500
// fake forward indicator in the plain text body
and (
regex.contains(body.plain.raw,
'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote'
)
or strings.icontains(body.plain.raw, 'Original Message')
)
and not regex.contains(body.current_thread.text,
'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote'
)
and not strings.icontains(body.current_thread.text,
'Original Message'
)
and not any(headers.hops, any(.fields, .name == "Resent-From"))
)
)
and strings.ilike(body.plain.raw,
"*picture*",
"*photo*",
"*image*",
"*sad news*",
"*sad announcement*",
"*sad update*",
"*pics*"
)
and not strings.istarts_with(body.plain.raw, "[cid:image")
and strings.icontains(subject.subject, sender.display_name)
)
or (
strings.icontains(subject.subject, sender.display_name)
and sender.email.domain.root_domain in $free_email_providers
and length(body.links) == 2
and length(filter(body.links, .display_text == "h")) == 1
and length(filter(body.links, .display_url.scheme == "ttp")) == 1
)
)
and length(body.links) < 5
and any(body.links,
(
(
network.whois(.href_url.domain).days_old < 30
or not network.whois(.href_url.domain).found
or network.whois(.href_url.domain).found is null
)
and .href_url.domain.root_domain != sender.email.domain.root_domain
)
or (
length(.display_text) == 1
and .href_url.domain.root_domain in ("facebook.com", "youtube.com")
)
)
)
and (
(
(
length(headers.references) > 0
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
and not (
(
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject, "答复:")
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
)
)
)
or length(headers.references) == 0
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Spam: Fake photo share"
description: 'Message contains pretexting language about sharing photos ("found these photos and thought you''d like them", "remember these photos?") and a link with a newly registered domain. Fake threads and plain text bodies have been seen in the wild, indicating active evasion techniques.'
type: "rule"
severity: "low"
source: |
type.inbound
and length(attachments) == 0
and (
(
(
(
(length(body.plain.raw) < 500 and length(body.current_thread.text) == 0)
or (
length(body.html.display_text) < 500
and length(body.current_thread.text) == 0
)
or (length(body.current_thread.text) < 500)
)
and strings.ilike(subject.subject,
"*picture*",
"*photo*",
"*image*",
"*sad news*",
"*sad announcement*",
"*sad update*",
"*new pics*"
)
)
or (
(
(
length(body.html.display_text) < 500
and length(body.current_thread.text) == 0
)
and strings.ilike(body.html.display_text,
"*picture*",
"*photo*",
"*image*",
"*sad news*",
"*sad announcement*",
"*sad update*",
"*new pics*"
)
)
or (
(length(body.plain.raw) < 500 and length(body.current_thread.text) == 0)
and strings.ilike(body.plain.raw,
"*picture*",
"*photo*",
"*image*",
"*sad news*",
"*sad announcement*",
"*sad update*",
"*new pics*"
)
and not strings.icontains(body.plain.raw, "[cid:image")
)
or (
length(body.current_thread.text) < 500
and strings.ilike(body.current_thread.text,
"*picture*",
"*photo*",
"*image*",
"*sad news*",
"*sad announcement*",
"*sad update*",
"*new pics*"
)
)
)
or (
body.plain.raw is not null
and body.html.display_text is null
and (
length(body.current_thread.text) == 0
or (
length(body.current_thread.text) < 500
// fake forward indicator in the plain text body
and (
regex.contains(body.plain.raw,
'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote'
)
or strings.icontains(body.plain.raw, 'Original Message')
)
and not regex.contains(body.current_thread.text,
'On (Sunday|Monday|Tuesday|Wednesday|Thursday|Friday|Saturday).{0,50} wrote'
)
and not strings.icontains(body.current_thread.text,
'Original Message'
)
and not any(headers.hops, any(.fields, .name == "Resent-From"))
)
)
and strings.ilike(body.plain.raw,
"*picture*",
"*photo*",
"*image*",
"*sad news*",
"*sad announcement*",
"*sad update*",
"*pics*"
)
and not strings.istarts_with(body.plain.raw, "[cid:image")
and strings.icontains(subject.subject, sender.display_name)
)
or (
strings.icontains(subject.subject, sender.display_name)
and sender.email.domain.root_domain in $free_email_providers
and length(body.links) == 2
and length(filter(body.links, .display_text == "h")) == 1
and length(filter(body.links, .display_url.scheme == "ttp")) == 1
)
)
and length(body.links) < 5
and any(body.links,
(
(
network.whois(.href_url.domain).days_old < 30
or not network.whois(.href_url.domain).found
or network.whois(.href_url.domain).found is null
)
and .href_url.domain.root_domain != sender.email.domain.root_domain
)
or (
length(.display_text) == 1
and .href_url.domain.root_domain in ("facebook.com", "youtube.com")
)
)
)
and (
(
(
length(headers.references) > 0
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
and not (
(
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject, "答复:")
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
)
)
)
or length(headers.references) == 0
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Spam"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Sender analysis"
- "URL analysis"
- "Whois"
id: "eb086f7d-3ad7-52cd-8e16-3ce08726b9ea"