Rule to detect the presence of an or several images

Hunt Hypothesis

The presence of image files in a payload may indicate an adversary attempting to exfiltrate data or embed malicious content within seemingly benign files. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or stealthy malware delivery mechanisms.

YARA Rule

rule with_images : mail {
	meta:
		author = "Antonio Sanchez <[email protected]>"
		reference = "http://laboratorio.blogs.hispasec.com/"
		description = "Rule to detect the presence of an or several images"
	strings:
                $eml_01 = "From:"
                $eml_02 = "To:"
                $eml_03 = "Subject:"
		$img_a = ".jpg" nocase
		$img_b = ".png" nocase
		$img_c = ".bmp" nocase
	condition:
                all of ( $eml_* ) and
		any of ( $img_* )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• http://laboratorio.blogs.hispasec.com/
• Source Rule

False Positive Guidance

• Scenario: A system administrator uploads a screenshot of a server dashboard to a ticketing system for documentation.
  Filter/Exclusion: Exclude files uploaded to known ticketing systems (e.g., Jira, ServiceNow) using the file path or MIME type.

• Scenario: A scheduled backup job includes image files (e.g., screenshots of applications) as part of a full system backup.
  Filter/Exclusion: Exclude files from backup directories (e.g., /backup/, /var/backups/) or use a file type filter to exclude common image extensions (e.g., .jpg, .png).

• Scenario: A developer uses a tool like screencast or ffmpeg to record a video of a UI test, which includes image frames in the payload.
  Filter/Exclusion: Exclude files generated by known screen recording tools or video processing software using process name or command-line arguments.

• Scenario: A user sends an email with an attached image (e.g., a logo or graphic) as part of a legitimate business communication.
  Filter/Exclusion: Exclude files sent to or from specific email domains or users, or filter based on email headers (e.g., From, To, Subject).

• Scenario: A security tool like Wireshark or tcpdump captures network traffic that includes image data during a packet analysis task.
  Filter/Exclusion: Exclude traffic from known packet capture tools or filter based on process names or network interfaces (e.g., lo, eth0).