diff --git a/detection-rules/body_encrypted_zip_password_attachment.yml b/detection-rules/body_encrypted_zip_password_attachment.yml new file mode 100644 index 00000000000..afdc7d50bcd --- /dev/null +++ b/detection-rules/body_encrypted_zip_password_attachment.yml @@ -0,0 +1,46 @@ +name: "Attachment: Encrypted zip file with payment-related lure" +description: "Detects messages containing zip file attachments with payment-themed content that reference encrypted files, passwords, and payment details. The rule looks for specific patterns indicating the attachment is encrypted and contains payment-related information, commonly used to evade security scanning by requiring manual extraction." +type: "rule" +severity: "medium" +source: | + type.inbound + and length(attachments) > 0 + // 3 instances of zip/encrypted/payment information + and 3 of ( + regex.icontains(body.current_thread.text, 'zip file.{1,50}encrypted'), + regex.icontains(body.current_thread.text, 'attachment.{1,30}encrypted'), + regex.icontains(body.current_thread.text, + 'password.{1,5}is.{1,5}[A-Z0-9]{8,}' + ), + regex.icontains(body.current_thread.text, + 'details.{1,20}payment.{1,30}attach' + ), + strings.icontains(subject.subject, "you have received"), + strings.icontains(subject.subject, "new debit"), + strings.icontains(subject.subject, "payment confirmation"), + strings.icontains(subject.subject, "invoice attached") + ) + and ( + // one attachment included and the file is a zip + attachments[0].file_extension == "zip" + and ( + regex.icontains(attachments[0].file_name, + 'payment|invoice|receipt|document|bank' + ) + // long uppercase passwords + or regex.contains(body.current_thread.text, '[A-Z]{10,}') + ) + ) + +attack_types: + - "BEC/Fraud" + - "Malware/Ransomware" +tactics_and_techniques: + - "Encryption" + - "Evasion" + - "Social engineering" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" +id: "5d1eb7af-178b-50a0-85ee-d9eb4ffe4c6c"