Create Email_quota_limit_warning

YARA Rule for known phishing campaign affecting multiple American companies.

Create Email_quota_limit_warning
YARA Rule for known phishing campaign affecting multiple American companies.
3d29d980 · Tyler Linne · GitHub · 8910035e · 3d29d980
Commit 3d29d980 authored Jun 15, 2017 by Tyler Linne Committed by GitHub Jun 15, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 0 deletions

Email_quota_limit_warning email/Email_quota_limit_warning +20 -0

No files found.
--- a/email/Email_quota_limit_warning
+++ b/email/Email_quota_limit_warning
+rule Email_quota_limit_warning : mail
+{
+  meta:
+		Author = "Tyler Linne @InfoSecTyler"
+		Description ="Rule to prevent against known email quota limit phishing campaign"
+    
+  strings:
+    $subject1={ 44 65 61 72 20 [0-11] 20 41 63 63 6f 75 6e 74 20 55 73 65 72 73 } // Range allows for different company names to be accepted
+    $hello1={ 44 65 61 72 20 [0-11] 20 41 63 63 6f 75 6e 74 20 55 73 65 72 73 }
+    $body1="You have exceded" nocase
+    $body2={65 2d 6d 61 69 6c 20 61 63 63 6f 75 6e 74 20 6c 69 6d 69 74 20 71 75 6f 74 61 20 6f 66 [0-4] } //Range allows for different quota "upgrades"
+    $body3="requested to expand it within 24 hours" nocase
+    $body4="e-mail account will be disable from our database" nocase
+    $body5="simply click with the complete information" nocase
+    $body6="requested to expand your account quota" nocase
+    $body7={54 68 61 6e 6b 20 79 6f 75 20 66 6f 72 20 75 73 69 6e 67 20 [0-11] 20 57 65 62 6d 61 69 6c } // Range allows for different company names to be accepted
+
+  condition:
+    1 of ($subject*) and 1 of ($hello*) and 2 of ($body*) 
+}