
Summary
This detection rule identifies deceptive emails that impersonate attachments typically found in Gmail. It focuses on elements present in the body of emails that resemble Gmail's user interface components for attachments, which should only occur within the actual Gmail interface. By analyzing the HTML and text content of an email, the rule checks for specific indicators that suggest the presence of a fraudulent attachment, especially looking for phrases and patterns associated with fake downloads (like 'Scanned by Gmail' and links with text suggesting downloadable content) while enforcing constraints on the number of valid links and their content. Additionally, the rule incorporates checks against a list of trusted sender domains, ensuring that trusted sources that fail DMARC authentication are flagged. The rule also conditions alerts based on the sender's previous behaviors, including whether they have been previously flagged as malicious but with false positives, to minimize alert fatigue from legitimate sources.
Categories
- Web
- Identity Management
- Cloud
Data Sources
- User Account
- Application Log
- Process
Created: 2024-08-20