Adversaries may use phishing attachments in scam emails to deliver malicious payloads and compromise user systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential phishing attacks before they lead to data breaches or system compromises.
YARA Rule
rule content : mail {
meta:
author = "A.Sanchez <asanchez@koodous.com>"
description = "Detects scam emails with phishing attachment."
test1 = "email/eml/transferencia1.eml"
test2 = "email/eml/transferencia2.eml"
strings:
$subject = "Asunto: Justificante de transferencia" nocase
$body = "Adjunto justificante de transferencia"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator sends a scheduled backup job via email that includes a .zip file containing sensitive data.
Filter/Exclusion: Exclude emails sent by the system administrator using the admin_email@company.com address or filter emails with the subject line containing “Scheduled Backup”.
Scenario: A user receives a legitimate email from a third-party vendor with an attachment containing a software update, which is common in enterprise environments.
Filter/Exclusion: Exclude emails from known vendors (e.g., updates@vendor.com) or filter emails with the attachment type application/octet-stream that match known update file names.
Scenario: A developer shares code via email using a .tar.gz file as part of a code review process.
Filter/Exclusion: Exclude emails sent from the development team’s email group (dev-team@company.com) or filter emails with the attachment name containing “code_review”.
Scenario: A user receives an email from the internal helpdesk with an attachment containing a password reset token.
Filter/Exclusion: Exclude emails from the helpdesk email address (helpdesk@company.com) or filter emails with the subject line containing “Password Reset”.
Scenario: A scheduled job runs a script that generates a report and sends it via email with an .xlsx attachment.
Filter/Exclusion: Exclude emails sent by the job scheduler (e.g., scheduler@company.com) or filter emails with the attachment type application/vnd.openxmlformats-officedocument.spreadsheetml.sheet and a specific file name pattern.