From c25de5ad9e019051c4aa6cfe8f265bf015f076d8 Mon Sep 17 00:00:00 2001 From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> Date: Wed, 22 Oct 2025 10:18:22 -0400 Subject: [PATCH 1/3] Create attachment_creditcard_application_with_whatsapp.yml --- ...t_creditcard_application_with_whatsapp.yml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 detection-rules/attachment_creditcard_application_with_whatsapp.yml diff --git a/detection-rules/attachment_creditcard_application_with_whatsapp.yml b/detection-rules/attachment_creditcard_application_with_whatsapp.yml new file mode 100644 index 00000000000..a3c9a5c2aee --- /dev/null +++ b/detection-rules/attachment_creditcard_application_with_whatsapp.yml @@ -0,0 +1,57 @@ +name: "Attachment: Credit card application with WhatsApp contact" +description: "Detects messages containing promotional credit card offers with attached forms requesting extensive personal information (PII) and directing victims to contact via WhatsApp, indicating potential fraud." +type: "rule" +severity: "medium" +source: | + type.inbound + // promotional/advertising content targeting financial services + and ( + regex.icontains(body.current_thread.text, + "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free|special offer" + ) + or regex.icontains(subject.subject, + "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free" + ) + or any(ml.nlu_classifier(body.current_thread.text).topics, + .name in ("Advertising and Promotions") + ) + ) + // PII harvesting template in attachments (3+ of these patterns) + and any(attachments, + any(file.explode(.), + 3 of ( + regex.icontains(.scan.strings.raw, "Credit Card Application"), + regex.icontains(.scan.strings.raw, "Date of Birth"), + regex.icontains(.scan.strings.raw, "[eE]mail"), + regex.icontains(.scan.strings.raw, "[aA]ddress"), + regex.icontains(.scan.strings.raw, "Contact No"), + regex.icontains(.scan.strings.raw, "Pan No"), + regex.icontains(.scan.strings.raw, "ADHAAR"), + regex.icontains(.scan.strings.raw, "Annual.*salary"), + regex.icontains(.scan.strings.raw, "Mother Name"), + regex.icontains(.scan.strings.raw, "Father Name"), + regex.icontains(.scan.strings.raw, "SINGLE.*MARRIED") + ) + ) + ) + // WhatsApp contact method (suspicious for legitimate financial institutions) + and ( + regex.icontains(body.current_thread.text, "whatsapp") + or any(attachments, + any(file.explode(.), regex.icontains(.scan.qr.url.url, "wa\\.me")) + ) + or any(file.explode(file.message_screenshot()), + regex.icontains(.scan.qr.url.url, "wa\\.me") + ) + ) + +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Social engineering" + - "Out of band pivot" +detection_methods: + - "Content analysis" + - "File analysis" + - "Natural Language Understanding" + - "QR code analysis" From 75d66d2a1b9c365689b718a9e47a80d99a87e3ce Mon Sep 17 00:00:00 2001 From: ID Generator Date: Wed, 22 Oct 2025 14:23:30 +0000 Subject: [PATCH 2/3] Auto add rule ID --- .../attachment_creditcard_application_with_whatsapp.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/attachment_creditcard_application_with_whatsapp.yml b/detection-rules/attachment_creditcard_application_with_whatsapp.yml index a3c9a5c2aee..1225d78ee40 100644 --- a/detection-rules/attachment_creditcard_application_with_whatsapp.yml +++ b/detection-rules/attachment_creditcard_application_with_whatsapp.yml @@ -55,3 +55,4 @@ detection_methods: - "File analysis" - "Natural Language Understanding" - "QR code analysis" +id: "95b08315-93a6-5005-8f38-ff597eb9f947" From 79dd37c5beb7e485381d04c96a029cd822d90959 Mon Sep 17 00:00:00 2001 From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> Date: Fri, 24 Oct 2025 08:50:57 -0400 Subject: [PATCH 3/3] Update attachment_creditcard_application_with_whatsapp.yml --- ...ment_creditcard_application_with_whatsapp.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/detection-rules/attachment_creditcard_application_with_whatsapp.yml b/detection-rules/attachment_creditcard_application_with_whatsapp.yml index 1225d78ee40..c99ba333097 100644 --- a/detection-rules/attachment_creditcard_application_with_whatsapp.yml +++ b/detection-rules/attachment_creditcard_application_with_whatsapp.yml @@ -6,14 +6,16 @@ source: | type.inbound // promotional/advertising content targeting financial services and ( - regex.icontains(body.current_thread.text, - "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free|special offer" + ( + regex.icontains(body.current_thread.text, + "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free|special offer" + ) + or regex.icontains(subject.subject, + "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free" + ) ) - or regex.icontains(subject.subject, - "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free" - ) - or any(ml.nlu_classifier(body.current_thread.text).topics, - .name in ("Advertising and Promotions") + and any(ml.nlu_classifier(body.current_thread.text).topics, + .name in ("Advertising and Promotions") ) ) // PII harvesting template in attachments (3+ of these patterns)