[PR #3488] added rule: Attachment: Encrypted zip file with payment-related lure

github-actions[bot] · github-actions[bot] · commit c084a35aa2e1 · 2025-11-06T21:53:47.000Z
diff --git a/detection-rules/3488_body_encrypted_zip_password_attachment.yml b/detection-rules/3488_body_encrypted_zip_password_attachment.yml
@@ -0,0 +1,49 @@
+name: "Attachment: Encrypted zip file with payment-related lure"
+description: "Detects messages containing zip file attachments with payment-themed content that reference encrypted files, passwords, and payment details. The rule looks for specific patterns indicating the attachment is encrypted and contains payment-related information, commonly used to evade security scanning by requiring manual extraction."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(attachments) > 0
+  // 3 instances of zip/encrypted/payment information
+  and 3 of (
+    regex.icontains(body.current_thread.text, 'zip file.{1,50}encrypted'),
+    regex.icontains(body.current_thread.text, 'attachment.{1,30}encrypted'),
+    regex.icontains(body.current_thread.text,
+                    'password.{1,5}is.{1,5}[A-Z0-9]{8,}'
+    ),
+    regex.icontains(body.current_thread.text,
+                    'details.{1,20}payment.{1,30}attach'
+    ),
+    strings.icontains(subject.subject, "you have received"),
+    strings.icontains(subject.subject, "new debit"),
+    strings.icontains(subject.subject, "payment confirmation"),
+    strings.icontains(subject.subject, "invoice attached")
+  )
+  and (
+    // one attachment included and the file is a zip
+    attachments[0].file_extension == "zip"
+    and (
+      regex.icontains(attachments[0].file_name,
+                      'payment|invoice|receipt|document|bank'
+      )
+      // long uppercase passwords
+      or regex.contains(body.current_thread.text, '[A-Z]{10,}')
+    )
+  )
+
+attack_types:
+  - "BEC/Fraud"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Encryption"
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Archive analysis"
+  - "Content analysis"
+  - "File analysis"
+id: "34f7eb84-f5fd-5ff4-ad10-dde1c9abcebd"
+og_id: "5d1eb7af-178b-50a0-85ee-d9eb4ffe4c6c"
+testing_pr: 3488
+testing_sha: 38b90564b114220f0b65bf13ab8c64616dbfe8cc
