@@ -4,27 +4,38 @@ type: "rule"
44severity : " high"
55source : |
66 type.inbound
7- and length(attachments) == 1
87 and sender.email.domain.root_domain in $free_email_providers
98 and (
109 strings.icontains(body.current_thread.text, "lawyer")
1110 and strings.icontains(body.current_thread.text, "before")
1211 and strings.icontains(body.current_thread.text, "attached")
1312 )
14- and (
15- all([
16- "payment to lawyer:",
17- "bank code:",
18- "account number:",
19- "please send swift copy"
20- ],
21- any(filter(attachments, .file_type == "docx"),
22- any(file.explode(.), strings.icontains(.scan.strings.raw, ...))
23- )
24- or any(filter(attachments, .file_type == "pdf"),
25- strings.icontains(beta.ocr(.).text, ..)
26- )
27- )
13+ and length(attachments) == 1
14+ and length(filter(attachments,
15+ .file_type in ("docx", "pdf")
16+ or .file_extension in ("docx", "pdf")
17+ )
18+ ) == 1
19+ and any(attachments,
20+ any([
21+ "payment to lawyer:",
22+ "bank code:",
23+ "account number:",
24+ "please send swift copy"
25+ ],
26+ // use file.explode for docx
27+ (
28+ (..file_extension == "docx" or ..file_type == "docx")
29+ and any(file.explode(..),
30+ strings.icontains(.scan.strings.raw, ..)
31+ )
32+ )
33+ // use ocr for PDF
34+ or (
35+ (..file_extension == "pdf" or ..file_type == "pdf")
36+ and strings.icontains(beta.ocr(..).text, .)
37+ )
38+ )
2839 )
2940attack_types :
3041 - " BEC/Fraud"
@@ -41,4 +52,4 @@ detection_methods:
4152id : " e7a2717d-77e7-5164-9171-216f017342c6"
4253og_id : " 75aa34b3-9a77-5992-9722-9283405e9c49"
4354testing_pr : 3809
44- testing_sha : 4d37f8f9b9dc28c24eff13472285e2af13d80b19
55+ testing_sha : 34a1dd97313d62542b9fc316246fed8c54f15976
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments