[Test Rules] [PR #4369] added rule: Attachment: Suspicious employee policy update document lure

github-actions[bot] · github-actions[bot] · commit 78b4834e5449 · 2026-04-20T13:58:54.000Z
diff --git a/detection-rules/4369_attachment_sus_employee_doc.yml b/detection-rules/4369_attachment_sus_employee_doc.yml
@@ -0,0 +1,163 @@
+name: "Attachment: Suspicious employee policy update document lure"
+description: "Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and match similar update-related terminology.  This pattern has been observed used to delivery credential phishing via QR codes."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // NOTE: mirror ALL changes between subject & attachments
+  and (
+    // the subject contains pay related keywords
+    (
+      (
+        strings.icontains(subject.base, "benefits")
+        and not strings.icontains(subject.base, "fidelity netbenefits")
+      )
+      or strings.icontains(subject.base, "bonus")
+      or (
+        regex.icontains(subject.base, '\bcomp(?:ensation)?\b')
+        and not strings.icontains(subject.base, "broker")
+      )
+      or strings.icontains(subject.base, "earnings")
+      or regex.icontains(subject.base, 'empl[o0]y(?:ment|ee)')
+      or (
+        strings.icontains(subject.base, "financial")
+        and not strings.icontains(subject.base, "statement")
+      )
+      or strings.icontains(subject.base, "handbook")
+      or strings.icontains(subject.base, "incentive")
+      or regex.icontains(subject.base, 'merit\b')
+      or regex.icontains(subject.base, '\bpay(?:out|roll)?\b')
+      or strings.icontains(subject.base, "remuneration")
+      or strings.icontains(subject.base, "salary")
+    )
+    and (
+      strings.icontains(subject.base, "access your")
+      or regex.icontains(subject.base, 'adjust(?:ed|ment)')
+      or regex.icontains(subject.base, 'amend(?:ed|ment)')
+      or strings.icontains(subject.base, "appraisal")
+      or strings.icontains(subject.base, "assessment")
+      or strings.icontains(subject.base, "breakdown")
+      or strings.icontains(subject.base, "change")
+      or strings.icontains(subject.base, "details")
+      or strings.icontains(subject.base, "distribution")
+      or regex.icontains(subject.base, 'eval\b')
+      or strings.icontains(subject.base, "evaluation")
+      or strings.icontains(subject.base, "feedback")
+      or strings.icontains(subject.base, "increase")
+      or strings.icontains(subject.base, "increment")
+      or strings.icontains(subject.base, "info")
+      or strings.icontains(subject.base, "modification")
+      or strings.icontains(subject.base, "notification")
+      or strings.icontains(subject.base, "performance")
+      or strings.icontains(subject.base, "plan")
+      or strings.icontains(subject.base, "qualification")
+      or strings.icontains(subject.base, "raise")
+      or (
+        strings.icontains(subject.base, "review")
+        and not strings.icontains(subject.base, "preview")
+      )
+      or regex.icontains(subject.base, 'revis(?:ed|ion)')
+      or strings.icontains(subject.base, "statement")
+      or regex.icontains(subject.base, 'update(?:d| to)?')
+      or regex.icontains(subject.base,
+                         '(January|February|March|April|May|June|July|August|September|October|November|December)\s20[2,3]{1}\d{1}'
+      )
+    )
+  )
+  
+  // the attachment contains pay related keywords
+  and 0 < length(attachments) <= 3
+  and any(attachments,
+          .file_type in ("doc", "docx", "pdf", "pptx")
+          and (
+            (
+              strings.icontains(.file_name, "benefits")
+              and not strings.icontains(.file_name, "fidelity netbenefits")
+            )
+            or strings.icontains(.file_name, "bonus")
+            or (
+              regex.icontains(.file_name, '\bcomp(?:ensation)?\b')
+              and not (strings.icontains(.file_name, "broker"))
+            )
+            or regex.icontains(.file_name, 'empl[o0]y(?:ment|ee)')
+            or (
+              strings.icontains(.file_name, "financial")
+              and not strings.icontains(.file_name, "statement")
+            )
+            or strings.icontains(.file_name, "handbook")
+            or strings.icontains(.file_name, "incentive")
+            or regex.icontains(.file_name, 'merit\b')
+            or regex.icontains(.file_name, '\bpay(?:out|roll)?\b')
+            or strings.icontains(.file_name, "remuneration")
+            or strings.icontains(.file_name, "salary")
+          )
+          and (
+            strings.icontains(.file_name, "access your")
+            or regex.icontains(.file_name, 'adjust(?:ed|ment)')
+            or regex.icontains(.file_name, 'amend(?:ed|ment)')
+            or strings.icontains(.file_name, "appraisal")
+            or strings.icontains(.file_name, "assessment")
+            or strings.icontains(.file_name, "breakdown")
+            or strings.icontains(.file_name, "change")
+            or strings.icontains(.file_name, "details")
+            or strings.icontains(.file_name, "distribution")
+            or regex.icontains(.file_name, 'eval\b')
+            or strings.icontains(.file_name, "evaluation")
+            or strings.icontains(.file_name, "feedback")
+            or strings.icontains(.file_name, "increase")
+            or strings.icontains(.file_name, "increment")
+            or strings.icontains(.file_name, "info")
+            or strings.icontains(.file_name, "modification")
+            or strings.icontains(.file_name, "notification")
+            or strings.icontains(.file_name, "performance")
+            or strings.icontains(.file_name, "plan")
+            or strings.icontains(.file_name, "qualification")
+            or strings.icontains(.file_name, "raise")
+            or (
+              strings.icontains(.file_name, "review")
+              and not strings.icontains(.file_name, "preview")
+            )
+            or regex.icontains(.file_name, 'revis(?:ed|ion)')
+            or strings.icontains(.file_name, "statement")
+            or regex.icontains(.file_name, 'update(?:d| to)?')
+            or regex.icontains(.file_name,
+                               '(January|February|March|April|May|June|July|August|September|October|November|December)\s20[2,3]{1}\d{1}'
+            )
+            or (
+              // file name contains recipient's email
+              any(recipients.to,
+                  strings.icontains(..file_name, .email.email)
+                  and .email.domain.valid
+              )
+              // file name contains recipient's sld
+              or any(recipients.to,
+                     strings.icontains(..file_name, .email.domain.sld)
+                     and .email.domain.valid
+              )
+            )
+          )
+  )
+  
+  // negate legitimate conversations
+  and not (subject.is_forward or subject.is_reply)
+  
+  // negate high trust sender domains unless they fail authentication
+  and not (
+    sender.email.domain.root_domain in $high_trust_sender_root_domains
+    and coalesce(headers.auth_summary.dmarc.pass, false)
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "PDF"
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "File analysis"
+  - "Sender analysis"
+id: "1fec6756-a98a-5777-b7e4-ffa803a906a9"
+og_id: "a8bf1fd1-d9fa-572d-8957-51d6025a5248"
+testing_pr: 4369
+testing_sha: f2bf594f1df53f0ea6aae79fb1b00d60aaaea702
