Adversaries may use phishing attachments in scam emails to deliver malicious payloads and compromise user systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential phishing attacks before they lead to data breaches or system compromise.
YARA Rule
rule attachment : mail {
meta:
author = "A.Sanchez <[email protected]>"
description = "Detects scam emails with phishing attachment."
test1 = "email/eml/transferencia1.eml"
test2 = "email/eml/transferencia2.eml"
strings:
$filename = "filename=\"scan001.pdf.html\""
$pleaseEnter = "NTAlNkMlNjUlNjElNzMlNjUlMjAlNjUlNkUlNzQlNjUlNzIlMjAlN" // Please enter
$emailReq = "NkQlNjUlNkUlNzQlMkUlNjklNkUlNjQlNjUlNzglMzIlMkUlNDUlNkQlNjElNjklNkMlM0I" // ment.index2.Email;
$pAssign = "NzAlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjklNkUlNjQlNjUl" // p = document.inde
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: A system administrator sends a scheduled backup job that includes a .zip file with a misleading name (e.g., backup_credentials.zip) to a team mailbox.
Filter/Exclusion: Exclude files generated by the backup tool Veeam Backup & Replication with the file extension .zip and sender email matching the admin’s corporate email.
Scenario: A developer uses a CI/CD pipeline to deploy code, and the deployment script generates a temporary .sh file that is mistakenly flagged as a phishing attachment.
Filter/Exclusion: Exclude files created by the CI/CD tool Jenkins with the file extension .sh and originating from the devops team’s internal email address.
Scenario: A user receives a legitimate email from the IT help desk with an attachment containing a system diagnostic report, which is misclassified as a phishing attempt.
Filter/Exclusion: Exclude attachments with the file name diagnostic_report_*.pdf and sender email matching the IT help desk’s official email address.
Scenario: A scheduled report generation tool (e.g., Power BI or Tableau) sends an email with an .xlsx attachment to a team, which is flagged as a phishing attachment.
Filter/Exclusion: Exclude attachments with the file extension .xlsx and sender email matching the Power BI service email or the internal reporting team’s email.
Scenario: A user receives a test email from the security team containing a phishing simulation attachment, which is mistakenly flagged by the detection rule.
Filter/Exclusion: Exclude emails sent from the internal security team email address [email protected] and containing the subject line Phishing Simulation.