From b99832cf5ad8779421cce01aacd906dae68a3bd2 Mon Sep 17 00:00:00 2001 From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> Date: Thu, 6 Nov 2025 16:45:55 -0500 Subject: [PATCH 1/2] LWescott create body_encrypted_zip_password_attachment.yml --- ...body_encrypted_zip_password_attachment.yml | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 detection-rules/body_encrypted_zip_password_attachment.yml diff --git a/detection-rules/body_encrypted_zip_password_attachment.yml b/detection-rules/body_encrypted_zip_password_attachment.yml new file mode 100644 index 00000000000..7556c3c93db --- /dev/null +++ b/detection-rules/body_encrypted_zip_password_attachment.yml @@ -0,0 +1,45 @@ +name: "Attachment: Encrypted zip file with payment-related lure" +description: "Detects messages containing zip file attachments with payment-themed content that reference encrypted files, passwords, and payment details. The rule looks for specific patterns indicating the attachment is encrypted and contains payment-related information, commonly used to evade security scanning by requiring manual extraction." +type: "rule" +severity: "medium" +source: | + type.inbound + and length(attachments) > 0 + // 3 instances of zip/encrypted/payment information + and 3 of ( + regex.icontains(body.current_thread.text, 'zip file.{1,50}encrypted'), + regex.icontains(body.current_thread.text, 'attachment.{1,30}encrypted'), + regex.icontains(body.current_thread.text, + 'password.{1,5}is.{1,5}[A-Z0-9]{8,}' + ), + regex.icontains(body.current_thread.text, + 'details.{1,20}payment.{1,30}attach' + ), + strings.icontains(subject.subject, "you have received"), + strings.icontains(subject.subject, "new debit"), + strings.icontains(subject.subject, "payment confirmation"), + strings.icontains(subject.subject, "invoice attached") + ) + and ( + // one attachment included and the file is a zip + attachments[0].file_extension == "zip" + and ( + regex.icontains(attachments[0].file_name, + 'payment|invoice|receipt|document|bank' + ) + // long uppercase passwords + or regex.contains(body.current_thread.text, '[A-Z]{10,}') + ) + ) + +attack_types: + - "BEC/Fraud" + - "Malware/Ransomware" +tactics_and_techniques: + - "Encryption" + - "Evasion" + - "Social engineering" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" From 38b90564b114220f0b65bf13ab8c64616dbfe8cc Mon Sep 17 00:00:00 2001 From: ID Generator Date: Thu, 6 Nov 2025 21:50:04 +0000 Subject: [PATCH 2/2] Auto add rule ID --- detection-rules/body_encrypted_zip_password_attachment.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/body_encrypted_zip_password_attachment.yml b/detection-rules/body_encrypted_zip_password_attachment.yml index 7556c3c93db..afdc7d50bcd 100644 --- a/detection-rules/body_encrypted_zip_password_attachment.yml +++ b/detection-rules/body_encrypted_zip_password_attachment.yml @@ -43,3 +43,4 @@ detection_methods: - "Archive analysis" - "Content analysis" - "File analysis" +id: "5d1eb7af-178b-50a0-85ee-d9eb4ffe4c6c"