Adversaries may use phishing attachments in scam emails to deliver malicious payloads and compromise user systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential phishing attacks before they lead to data breaches or system compromises.
YARA Rule
rule content : mail {
meta:
author = "A.Sanchez <[email protected]>"
description = "Detects scam emails with phishing attachment."
test1 = "email/eml/transferencia1.eml"
test2 = "email/eml/transferencia2.eml"
strings:
$subject = "Asunto: Justificante de transferencia" nocase
$body = "Adjunto justificante de transferencia"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator sends a scheduled backup job via email that includes a .zip file containing sensitive data.
Filter/Exclusion: Exclude emails sent by the system administrator using the [email protected] address or filter emails with the subject line containing “Scheduled Backup”.
Scenario: A user receives a legitimate email from a third-party vendor with an attachment containing a software update, which is common in enterprise environments.
Filter/Exclusion: Exclude emails from known vendors (e.g., [email protected]) or filter emails with the attachment type application/octet-stream that match known update file names.
Scenario: A developer shares code via email using a .tar.gz file as part of a code review process.
Filter/Exclusion: Exclude emails sent from the development team’s email group ([email protected]) or filter emails with the attachment name containing “code_review”.
Scenario: A user receives an email from the internal helpdesk with an attachment containing a password reset token.
Filter/Exclusion: Exclude emails from the helpdesk email address ([email protected]) or filter emails with the subject line containing “Password Reset”.
Scenario: A scheduled job runs a script that generates a report and sends it via email with an .xlsx attachment.
Filter/Exclusion: Exclude emails sent by the job scheduler (e.g., [email protected]) or filter emails with the attachment type application/vnd.openxmlformats-officedocument.spreadsheetml.sheet and a specific file name pattern.