[PR #3831] added rule: Attachment: Employment contract update with suspicious file naming

Author: github-actions[bot]

detection-rules/3831_attachment_employment_contract_update.yml

@@ -0,0 +1,29 @@
+name: "Attachment: Employment contract update with suspicious file naming"
+description: "Detects messages containing two attachments where one is a PowerPoint file with suspicious character substitution in the filename ('Empl0yment' using zero instead of 'o') and body text claiming an employment contract has been updated."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  // two attachments, one png and one pptx
+  and length(attachments) == 2
+  // the pptx has Empl0yment in name
+  and length(filter(attachments,
+                    .content_type == "application/octet-stream"
+                    and strings.contains(.file_name, "Empl0yment")
+             )
+  ) == 1
+  and strings.icontains(body.current_thread.text,
+                        "Your Employment Contract has being updated"
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "File analysis"
+id: "08d2b71c-c57d-5c99-8e63-db14be829f07"
+og_id: "8bdcd2da-c970-5b55-81f8-1b95d3d9dce0"
+testing_pr: 3831
+testing_sha: 709c37fe527995775b293cbb967afb5c9eee8291