[PR #3808] added rule: Attachment: Fake lawyer & sports agent identities

Author: github-actions[bot]

detection-rules/3808_attachment_fake_lawyer_sports_agent.yml

@@ -0,0 +1,35 @@
+name: "Attachment: Fake lawyer & sports agent identities"
+description: "Detects messages containing attachments or content that reference known fake identities used in FC Barcelona scams, including fake lawyer Michael Gerardus Hermanus Demon and sports agents with the surname Giuffrida. The rule examines EXIF metadata, OCR text from attachments, and message body content for these specific identity markers."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and length(attachments) == 1
+  and (
+    // Michael is a fake lawyer used in fc barcelona scam
+    // Gabriele & Valerio "Giuffrida" are sports agent
+    any(["Michael Gerardus Hermanus Demon", "Giuffrida"],
+        any(attachments,
+            strings.icontains(beta.parse_exif(.).creator, ..)
+            or strings.icontains(beta.ocr(.).text, ..)
+        )
+        or strings.icontains(body.current_thread.text, .)
+        or strings.icontains(body.current_thread.text, .)
+        or any(body.previous_threads, strings.icontains(.text, ..))
+    )
+  )
+
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Impersonation: VIP"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Exif analysis"
+  - "File analysis"
+  - "Optical Character Recognition"
+id: "d8cbbf7d-7230-524d-ac26-e97e6c4e06e8"
+og_id: "7d3a2478-a373-50d6-97bb-2dd1c3f710f7"
+testing_pr: 3808
+testing_sha: 2d724375811e6fd405b04dd006602b2b8348fc05