[PR #3024] changed rule: Credential Phishing: Image as content, short or no body contents

github-actions[bot] · github-actions[bot] · commit 007bb2cc972f · 2025-08-05T16:06:41.000Z
diff --git a/detection-rules/3024_attachment_credential_phishing_image_as_content.yml b/detection-rules/3024_attachment_credential_phishing_image_as_content.yml
@@ -0,0 +1,74 @@
+name: "Credential Phishing: Image as content, short or no body contents"
+description: |
+  This rule identifies incoming messages with minimal links, all image attachments and either empty, brief
+  or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition
+  to high-confidence credit theft intentions.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(body.current_thread.links) < 2
+  and 0 < (length(attachments)) < 3
+  and (
+    // body text is very short
+    (
+      0 <= (length(body.current_thread.text)) < 10
+      or body.current_thread.text is null
+    )
+    or (
+      length(body.current_thread.text) < 900
+      // or body is most likely all warning banner (text contains the sender and common warning banner language)
+      and (
+        (
+          strings.contains(body.current_thread.text, sender.email.email)
+          and strings.contains(body.current_thread.text, 'caution')
+        )
+        or regex.icontains(body.current_thread.text,
+                           "intended recipient's use only|external email|sent from outside|you don't often"
+        )
+        // this is an attempt as negating cases where the email signature is the majority of the email body length
+        or any(attachments,
+               (.file_type in $file_types_images)
+               and any(ml.nlu_classifier(beta.ocr(.).text).intents,
+                       .name == "cred_theft" and .confidence == "high"
+               )
+               // the credential theft image must be 2.5x the amount of text as the body itself
+               and (
+                 length(beta.ocr(.).text) / (
+                   length(body.current_thread.text) + 0.0
+                 )
+               ) > 2.5
+        )
+      )
+    )
+  )
+  and (
+    any(attachments,
+        (.file_type in $file_types_images)
+        and (
+          any(file.explode(.),
+              any(.scan.exiftool.fields, .value == "Truncated PNG image")
+              or any(ml.logo_detect(..).brands, .name is not null)
+              or any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                     .name == "cred_theft" and .confidence == "high"
+              )
+          )
+        )
+    )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Image as content"
+detection_methods:
+  - "Computer Vision"
+  - "Content analysis"
+  - "File analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+id: "d9602a2d-1a78-5211-a64a-2c9d4b0fbb1e"
+og_id: "01313f38-d0d1-5240-b407-8f9158639277"
+testing_pr: 3024
+testing_sha: ab2b8ac6a72cc893ed438acffded712c43ec11c4
