/* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Email_quota_limit_warning : mail { meta: Author = "Tyler Linne <@InfoSecTyler>" Description ="Rule to prevent against known email quota limit phishing campaign" strings: $eml_01 = "From:" //Added eml context $eml_02 = "To:" $eml_03 = "Subject:" $subject1={ 44 65 61 72 20 [0-11] 20 41 63 63 6f 75 6e 74 20 55 73 65 72 73 } // Range allows for different company names to be accepted $hello1={ 44 65 61 72 20 [0-11] 20 41 63 63 6f 75 6e 74 20 55 73 65 72 73 } $body1="You have exceded" nocase $body2={65 2d 6d 61 69 6c 20 61 63 63 6f 75 6e 74 20 6c 69 6d 69 74 20 71 75 6f 74 61 20 6f 66 [0-4] } //Range allows for different quota "upgrade" sizes $body3="requested to expand it within 24 hours" nocase $body4="e-mail account will be disable from our database" nocase $body5="simply click with the complete information" nocase $body6="requested to expand your account quota" nocase $body7={54 68 61 6e 6b 20 79 6f 75 20 66 6f 72 20 75 73 69 6e 67 20 [0-11] 20 57 65 62 6d 61 69 6c } // Range allows for different company names to be accepted condition: all of ($eml_*) and 1 of ($subject*) and 1 of ($hello*) and 4 of ($body*) }