[PR #3427] added rule: Attachment: Suspicious employee policy update document lure

github-actions[bot] · github-actions[bot] · commit 8f4b524ed141 · 2025-10-22T12:25:16.000Z
diff --git a/detection-rules/3427_attachment_sus_employee_doc.yml b/detection-rules/3427_attachment_sus_employee_doc.yml
@@ -0,0 +1,105 @@
+name: "Attachment: Suspicious employee policy update document lure"
+description: "Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and match similar update-related terminology.  This pattern has been observed used to delivery credential phishing via QR codes."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    // the subject contains pay related items
+    (
+      strings.icontains(subject.subject, 'salary')
+      or regex.icontains(subject.subject, '\bpay(?:out|roll|\b)')
+      or strings.icontains(subject.subject, 'remuneration')
+      or strings.icontains(subject.subject, 'bonus')
+      or strings.icontains(subject.subject, 'incentive')
+      or strings.icontains(subject.subject, 'merit')
+      or strings.icontains(subject.subject, 'handbook')
+      or strings.icontains(subject.subject, 'benefits')
+      or strings.icontains(subject.subject, 'earnings')
+    )
+    and (
+      strings.icontains(subject.subject, 'review')
+      or strings.icontains(subject.subject, 'breakdown')
+      or strings.icontains(subject.subject, 'Access Your')
+      or strings.icontains(subject.subject, 'evaluation')
+      or regex.icontains(subject.subject, 'eval\b')
+      or strings.icontains(subject.subject, 'assessment')
+      or strings.icontains(subject.subject, 'appraisal')
+      or strings.icontains(subject.subject, 'feedback')
+      or strings.icontains(subject.subject, 'performance')
+      or strings.icontains(subject.subject, 'adjustment')
+      or strings.icontains(subject.subject, 'qualification')
+      or strings.icontains(subject.subject, 'increase')
+      or strings.icontains(subject.subject, 'raise')
+      or strings.icontains(subject.subject, 'change')
+      or strings.icontains(subject.subject, 'modification')
+      or strings.icontains(subject.subject, 'distribution')
+      or strings.icontains(subject.subject, 'details')
+      or regex.icontains(subject.subject, 'revis(?:ed|ion)')
+      or regex.icontains(subject.subject, 'amend(?:ed|ment)')
+      or regex.icontains(subject.subject, 'update(?:d| to)')
+      or strings.icontains(subject.subject, 'plan')
+      or strings.icontains(subject.subject, 'notification')
+    )
+  )
+  and 0 < length(attachments) <= 3
+  and any(attachments,
+          .file_extension in ("doc", "docx", "docm", "pdf")
+          and (
+            strings.icontains(.file_name, 'salary')
+            or strings.icontains(.file_name, 'compensation')
+            or regex.icontains(.file_name, '\bpay(?:roll|\b)')
+            or strings.icontains(.file_name, 'bonus')
+            or strings.icontains(.file_name, 'incentive')
+            or strings.icontains(.file_name, 'merit')
+            or strings.icontains(.file_name, 'handbook')
+            or strings.icontains(.file_name, 'benefits')
+          )
+          and (
+            strings.icontains(.file_name, 'review')
+            or strings.icontains(.file_name, 'evaluation')
+            or regex.icontains(.file_name, 'eval\b')
+            or strings.icontains(.file_name, 'assessment')
+            or strings.icontains(.file_name, 'appraisal')
+            or strings.icontains(.file_name, 'feedback')
+            or strings.icontains(.file_name, 'performance')
+            or strings.icontains(.file_name, 'adjustment')
+            or strings.icontains(.file_name, 'increase')
+            or strings.icontains(.file_name, 'increment')
+            or strings.icontains(.file_name, 'raise')
+            or strings.icontains(.file_name, 'change')
+            or strings.icontains(.file_name, 'modification')
+            or strings.icontains(.file_name, 'distribution')
+            or strings.icontains(.file_name, 'statement')
+            or regex.icontains(.file_name, 'revis(?:ed|ion)')
+            or regex.icontains(.file_name, 'amend(?:ed|ment)')
+            or regex.icontains(.file_name, 'adjust(?:ed|ment)')
+            or regex.icontains(.file_name, 'update(?:d| to)')
+            or regex.icontains(.file_name, '(January|February|March|April|May|June|July|August|September|October|November|December)\s20[2,3]{1}\d{1}')
+            or (
+              // file name contains recipient's email
+              any(recipients.to,
+                  strings.icontains(..file_name, .email.email)
+                  and .email.domain.valid
+              )
+            )
+          )
+  )
+  and not (
+    sender.email.domain.root_domain in $high_trust_sender_root_domains
+    and coalesce(headers.auth_summary.dmarc.pass, false)
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "PDF"
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "File analysis"
+  - "Sender analysis"
+id: "02e8ec08-c623-5794-8bde-5e784430100b"
+og_id: "a8bf1fd1-d9fa-572d-8957-51d6025a5248"
+testing_pr: 3427
+testing_sha: df46e5c78a7b0b18c76073e4fe1e6da5da32f7a6
