Skip to content

Create attachment_fake_lawyer_payment_details.yml #3809

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
MSAdministrator wants to merge 5 commits into from
+52 −0
Closed

Create attachment_fake_lawyer_payment_details.yml #3809

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
cf243e4
Create attachment_fake_lawyer_payment_details.yml
MSAdministrator Jan 21, 2026
fd93a58
Auto-format MQL and add rule IDs
Jan 21, 2026
3329cd9
Update attachment_fake_lawyer_payment_details.yml
MSAdministrator Jan 21, 2026
4d37f8f
Update attachment_fake_lawyer_payment_details.yml
MSAdministrator Jan 21, 2026
34a1dd9
Update attachment_fake_lawyer_payment_details.yml
MSAdministrator Jan 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions detection-rules/attachment_fake_lawyer_payment_details.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: "Attachment: Fake lawyer payment document with suspicious banking details"
description: "Detects messages from free email providers that impersonate lawyer communications with attached documents containing suspicious banking payment instructions and account details."
type: "rule"
severity: "high"
source: |
type.inbound
and sender.email.domain.root_domain in $free_email_providers
and (
strings.icontains(body.current_thread.text, "lawyer")
and strings.icontains(body.current_thread.text, "before")
and strings.icontains(body.current_thread.text, "attached")
)
and length(attachments) == 1
and length(filter(attachments,
.file_type in ("docx", "pdf")
or .file_extension in ("docx", "pdf")
)
) == 1
and any(attachments,
any([
"payment to lawyer:",
"bank code:",
"account number:",
"please send swift copy"
],
// use file.explode for docx
(
(..file_extension == "docx" or ..file_type == "docx")
and any(file.explode(..),
strings.icontains(.scan.strings.raw, ..)
)
)
// use ocr for PDF
or (
(..file_extension == "pdf" or ..file_type == "pdf")
and strings.icontains(beta.ocr(..).text, .)
)
)
)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Free email provider"
- "Impersonation: Employee"
- "Social engineering"
- "PDF"
detection_methods:
- "Content analysis"
- "File analysis"
- "Optical Character Recognition"
- "Sender analysis"
id: "75aa34b3-9a77-5992-9722-9283405e9c49"
Loading