From 81eb0b6a1d10e29189023c36d3b2ea7152c42a61 Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Thu, 7 Mar 2024 19:43:49 +0000 Subject: [PATCH] Sync from PR#965 Create spam_sus_pdf_name.yml by @aidenmitchell https://github.com/sublime-security/sublime-rules/pull/965 Source SHA 5c598ba31f2d76d3f4a2f7214c9213a9b2783b2a Triggered by @morriscode --- detection-rules/spam_sus_pdf_name.yml | 44 +++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 detection-rules/spam_sus_pdf_name.yml diff --git a/detection-rules/spam_sus_pdf_name.yml b/detection-rules/spam_sus_pdf_name.yml new file mode 100644 index 00000000000..50ac2d9401d --- /dev/null +++ b/detection-rules/spam_sus_pdf_name.yml @@ -0,0 +1,44 @@ +name: "Spam: Multiple recipients, PDF attachment, and suspicious file name" +description: "Message is addressed to many recipients and has a PDF attachment with a suspicious file name. The file name patterns listed here are consistant with mass spam, usually containing sexual imagery." +type: "rule" +severity: "low" +source: | + type.inbound + and length(recipients.to) > 3 + and all(attachments, .file_extension == "pdf") + and ( + (length(headers.references) == 0 and headers.in_reply_to is null) + or ( + not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + and not any(headers.hops, strings.ilike(.signature.headers, "*:reply-to")) + ) + ) + and ( + any(attachments, + strings.ilike(.file_name, + "*#*", + "*home*", + "*portrait*", + "*private*", + "*view*", + "*photo*", + "*vid*", + "*image*", + "*pics*", + "*movie*" + ) + ) + or any(attachments, strings.ilevenshtein(.file_name, subject.subject) < 5) + ) +attack_types: + - "Spam" +tactics_and_techniques: + - "Evasion" + - "PDF" + - "Social engineering" +detection_methods: + - "File analysis" + - "Header analysis" +id: "ec470180-dbc7-574d-8a07-50ec54f6ce89" +testing_pr: 965 +testing_sha: 5c598ba31f2d76d3f4a2f7214c9213a9b2783b2a