Create impersonation_display_name_cred_theft_image.yml (#4000)

Co-authored-by: CI Bot <hello@sublimesecurity.com>

Author: D-Bolton

detection-rules/impersonation_display_name_cred_theft_image.yml

@@ -0,0 +1,43 @@
+name: "Impersonation: Recipient organization in sender display name with credential theft image"
+description: "Sender display name contains the recipient's organization domain while the actual email address differs. Message includes a single image attachment with OCR-detected credential theft language referencing the recipient's domain, and has no body text."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(body.links) <= 1
+  and length(attachments) == 1
+  and strings.icontains(sender.display_name, recipients.to[0].email.domain.sld)
+  and length(recipients.to) == 1
+  and recipients.to[0].email.domain.root_domain in $org_domains
+  and 
+  // No body text
+  (
+    length(body.current_thread.text) == 0 or body.current_thread.text is null
+  )
+  and all(attachments,
+          .file_type in $file_types_images
+          //
+          // This rule makes use of a beta feature and is subject to change without notice
+          // using the beta feature in custom rules is not suggested until it has been formally released
+          //
+          and strings.icontains(beta.ocr(.).text,
+                                recipients.to[0].email.domain.sld
+          )
+          and any(ml.nlu_classifier(beta.ocr(.).text).intents,
+                  .name == "cred_theft" and .confidence == "high"
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Image as content"
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Content analysis"
+  - "File analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+id: "6abfb20e-ca83-5e24-ad1e-609e6df9dd24"