The CryptoWall Resume phish detection rule identifies potential phishing attempts where adversaries may use a resume as a lure to deliver malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage phishing campaigns that could lead to ransomware deployment.
YARA Rule
rule CryptoWall_Resume_phish : mail
{
meta:
Author = "http://phishme.com/"
reference = "https://github.com/phishme/malware_analysis/blob/master/yara_rules/cryptowall.yar"
strings:
$hello2="my name is " nocase
$file1="resume attached" nocase
$file2="my resume is pdf file" nocase
$file3="attached is my resume" nocase
$sal1="I would appreciate your " nocase
$sal2="I am looking forward to hearing from you" nocase
$sal3="I look forward to your reply" nocase
$sal4="Please message me back" nocase
$sal5="our early reply will be appreciated" nocase
$file4="attach is my resume" nocase
$file5="PDF file is my resume" nocase
$sal6="Looking forward to see your response" nocase
condition:
1 of ($hello*) and 1 of ($file*) and 1 of ($sal*)
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: IT Admin Distributing Phishing Awareness Training Materials
Description: An IT admin sends an email with a resume attachment as part of a phishing awareness training exercise.
Filter/Exclusion: Exclude emails sent from IT admin accounts during scheduled phishing training campaigns (e.g., from: [email protected] OR subject:*phishing training*).
Scenario: Scheduled Job Exporting User Resumes for HR Review
Description: A scheduled job runs daily to export user resumes from a HR system (e.g., Workday or BambooHR) for internal review.
Filter/Exclusion: Exclude attachments with file extensions .pdf or .docx from known HR systems (e.g., file_name:*resume*.pdf OR file_name:*resume*.docx).
Scenario: Developer Testing Email Notifications with Sample Resume
Description: A developer sends a test email with a sample resume to verify email notification workflows.
Filter/Exclusion: Exclude emails sent to internal testing addresses (e.g., to: [email protected] OR cc: [email protected]).
Scenario: System Backup Including User Resumes
Description: A backup process includes user resumes as part of a full system backup, resulting in a resume attachment in the backup archive.
Filter/Exclusion: Exclude files with the .zip or .tar.gz extension from backup directories (e.g., file_name:*backup*.zip OR file_name:*backup*.tar.gz).
Scenario: HR Sharing Resume Files with External Recruitment Agency
Description: HR shares resume files with a third-party recruitment agency via email, which is a legitimate business practice.
Filter/Exclusion: Exclude emails sent to known recruitment agencies (e.g., to: [email protected]