Create Email_fake_it_maintenance_bulletin

Rule to prevent against known phishing campaign targeting American companies using Microsoft Exchange.

email/Email_fake_it_maintenance_bulletin

+rule Fake_it_maintenance_bulletin : mail
+{
+  meta:
+		Author = "Tyler Linne <@InfoSecTyler>"
+		Description ="Rule to prevent against known phishing campaign targeting American companies using Microsoft Exchange"
+  strings:
+    $eml_1="From:"
+    $eml_2="To:"
+    $eml_3="Subject:"
+    $subject1={49 54 20 53 45 52 56 49 43 45 20 4d 61 69 6e 74 65 6e 61 6e 63 65 20 42 75 6c 6c 65 74 69 6e [1-20]} //Range is for varying date of "notification"
+    $subject2={44 45 53 43 52 49 50 54 49 4f 4e 3a 20 53 65 72 76 65 72 20 55 70 67 72 61 64 65 20 4d 61 69 6e 74 65 6e 61 6e 63 65 [1-20]} //Range is for server name varriation 
+    $body1="Message prompted from IT Helpdesk Support" nocase
+    $body2="We are currently undergoing server maintenance upgrade" nocase
+    $body3="Upgrade is to improve our security and new mail experience" nocase
+    $body4="As an active Outlook user, you are kindly instructed  to upgrade your mail account by Logging-in the below link" nocase
+    $body5="Sign in to Access Upgrade" nocase
+    $body6="Our goal is to provide excellent customer service" nocase
+    $body7="Thanks,/n OWA - IT Helpdesk Service" nocase
+
+  condition:
+    All of ($eml_*)and
+    1 of ($subject*) and
+    4 of ($body*) 
+}