diff --git a/detection-rules/attachment_fake_lawyer_payment_details.yml b/detection-rules/attachment_fake_lawyer_payment_details.yml new file mode 100644 index 00000000000..1b305487e41 --- /dev/null +++ b/detection-rules/attachment_fake_lawyer_payment_details.yml @@ -0,0 +1,52 @@ +name: "Attachment: Fake lawyer payment document with suspicious banking details" +description: "Detects messages from free email providers that impersonate lawyer communications with attached documents containing suspicious banking payment instructions and account details." +type: "rule" +severity: "high" +source: | + type.inbound + and sender.email.domain.root_domain in $free_email_providers + and ( + strings.icontains(body.current_thread.text, "lawyer") + and strings.icontains(body.current_thread.text, "before") + and strings.icontains(body.current_thread.text, "attached") + ) + and length(attachments) == 1 + and length(filter(attachments, + .file_type in ("docx", "pdf") + or .file_extension in ("docx", "pdf") + ) + ) == 1 + and any(attachments, + any([ + "payment to lawyer:", + "bank code:", + "account number:", + "please send swift copy" + ], + // use file.explode for docx + ( + (..file_extension == "docx" or ..file_type == "docx") + and any(file.explode(..), + strings.icontains(.scan.strings.raw, ..) + ) + ) + // use ocr for PDF + or ( + (..file_extension == "pdf" or ..file_type == "pdf") + and strings.icontains(beta.ocr(..).text, .) + ) + ) + ) +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Free email provider" + - "Impersonation: Employee" + - "Social engineering" + - "PDF" +detection_methods: + - "Content analysis" + - "File analysis" + - "Optical Character Recognition" + - "Sender analysis" +id: "75aa34b3-9a77-5992-9722-9283405e9c49"