rule Fake_it_maintenance_bulletin : mail
{
meta:
Author = "Tyler Linne <@InfoSecTyler>"
Description ="Rule to prevent against known phishing campaign targeting American companies using Microsoft Exchange"
strings:
$eml_1="From:"
$eml_2="To:"
$eml_3="Subject:"
$subject1={49 54 20 53 45 52 56 49 43 45 20 4d 61 69 6e 74 65 6e 61 6e 63 65 20 42 75 6c 6c 65 74 69 6e [1-20]} //Range is for varying date of "notification"
$subject2={44 45 53 43 52 49 50 54 49 4f 4e 3a 20 53 65 72 76 65 72 20 55 70 67 72 61 64 65 20 4d 61 69 6e 74 65 6e 61 6e 63 65 [1-20]} //Range is for server name varriation
$body1="Message prompted from IT Helpdesk Support" nocase
$body2="We are currently undergoing server maintenance upgrade" nocase
$body3="Upgrade is to improve our security and new mail experience" nocase
$body4="As an active Outlook user, you are kindly instructed to upgrade your mail account by Logging-in the below link" nocase
$body5="Sign in to Access Upgrade" nocase
$body6="Our goal is to provide excellent customer service" nocase
$body7="Thanks,/n OWA - IT Helpdesk Service" nocase
condition:
All of ($eml_*)and
1 of ($subject*) and
4 of ($body*)
}