Attachment: Suspicious employee policy update document lure

Severity: medium
Type: rule
Source: github.com/sublime-security/sublime-rules

Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and match similar update-related terminology. This pattern has been observed used to delivery credential phishing via QR codes.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing
Tactics and techniques	PDF, Social engineering, Evasion

Event coverage

Message attribute
attachments (collection)
headers.auth_summary
recipients
recipients.to (collection)
sender.email
subject
type

Rule body MQL

type.inbound
// NOTE: This rule is designed for these values to match/sync subject.base and file names
and (
  // the subject contains pay related items
  (
    strings.icontains(subject.base, 'salary')
    or regex.icontains(subject.base, '\bpay(?:out|roll|\b)')
    or strings.icontains(subject.base, 'remuneration')
    or strings.icontains(subject.base, 'bonus')
    or strings.icontains(subject.base, 'incentive')
    or strings.icontains(subject.base, 'merit\b')
    or strings.icontains(subject.base, 'handbook')
    or strings.icontains(subject.base, 'benefits')
    or strings.icontains(subject.base, 'earnings')
    or strings.icontains(subject.base, 'contract')
    or regex.icontains(subject.base, 'empl[o0]yment')
  )
  and (
    strings.icontains(subject.base, 'review')
    or strings.icontains(subject.base, 'breakdown')
    or strings.icontains(subject.base, 'Access Your')
    or strings.icontains(subject.base, 'evaluation')
    or regex.icontains(subject.base, 'eval\b')
    or strings.icontains(subject.base, 'assessment')
    or strings.icontains(subject.base, 'appraisal')
    or strings.icontains(subject.base, 'feedback')
    or strings.icontains(subject.base, 'performance')
    or strings.icontains(subject.base, 'adjustment')
    or strings.icontains(subject.base, 'qualification')
    or strings.icontains(subject.base, 'increase')
    or strings.icontains(subject.base, 'raise')
    or strings.icontains(subject.base, 'change')
    or strings.icontains(subject.base, 'modification')
    or strings.icontains(subject.base, 'distribution')
    or strings.icontains(subject.base, 'details')
    or regex.icontains(subject.base, 'revis(?:ed|ion)')
    or regex.icontains(subject.base, 'amend(?:ed|ment)')
    or regex.icontains(subject.base, 'update(?:d| to)')
    or strings.icontains(subject.base, 'plan')
    or strings.icontains(subject.base, 'notification')
  )
)
and 0 < length(attachments) <= 3
and any(attachments,
        .file_extension in ("doc", "docx", "docm", "pdf", "pptx")
        and (
          strings.icontains(.file_name, 'salary')
          or strings.icontains(.file_name, 'compensation')
          or regex.icontains(.file_name, '\bpay(?:roll|\b)')
          or strings.icontains(.file_name, 'bonus')
          or strings.icontains(.file_name, 'incentive')
          or strings.icontains(.file_name, 'merit\b')
          or strings.icontains(.file_name, 'handbook')
          or strings.icontains(.file_name, 'benefits')
          or regex.icontains(.file_name, 'empl[o0]yment')
        )
        and (
          strings.icontains(.file_name, 'review')
          or strings.icontains(.file_name, 'evaluation')
          or regex.icontains(.file_name, 'eval\b')
          or strings.icontains(.file_name, 'assessment')
          or strings.icontains(.file_name, 'appraisal')
          or strings.icontains(.file_name, 'feedback')
          or strings.icontains(.file_name, 'performance')
          or strings.icontains(.file_name, 'adjustment')
          or strings.icontains(.file_name, 'increase')
          or strings.icontains(.file_name, 'increment')
          or strings.icontains(.file_name, 'raise')
          or strings.icontains(.file_name, 'change')
          or strings.icontains(.file_name, 'modification')
          or strings.icontains(.file_name, 'distribution')
          or strings.icontains(.file_name, 'statement')
          or regex.icontains(.file_name, 'revis(?:ed|ion)')
          or regex.icontains(.file_name, 'amend(?:ed|ment)')
          or regex.icontains(.file_name, 'adjust(?:ed|ment)')
          or regex.icontains(.file_name, 'update(?:d| to)')
          or regex.icontains(.file_name,
                             '(January|February|March|April|May|June|July|August|September|October|November|December)\s20[2,3]{1}\d{1}'
          )
          or strings.icontains(.file_name, 'contract')
          or (
            // file name contains recipient's email
            any(recipients.to,
                strings.icontains(..file_name, .email.email)
                and .email.domain.valid
            )
          )
        )
)
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Detection logic

Scope: inbound message.

inbound message
all of:
- any of:
  - subject.base contains 'salary'
  - subject.base matches '\\bpay(?:out|roll|\\b)'
  - subject.base contains 'remuneration'
  - subject.base contains 'bonus'
  - subject.base contains 'incentive'
  - subject.base contains 'merit\\b'
  - subject.base contains 'handbook'
  - subject.base contains 'benefits'
  - subject.base contains 'earnings'
  - subject.base contains 'contract'
  - subject.base matches 'empl[o0]yment'
- any of:
  - subject.base contains 'review'
  - subject.base contains 'breakdown'
  - subject.base contains 'Access Your'
  - subject.base contains 'evaluation'
  - subject.base matches 'eval\\b'
  - subject.base contains 'assessment'
  - subject.base contains 'appraisal'
  - subject.base contains 'feedback'
  - subject.base contains 'performance'
  - subject.base contains 'adjustment'
  - subject.base contains 'qualification'
  - subject.base contains 'increase'
  - subject.base contains 'raise'
  - subject.base contains 'change'
  - subject.base contains 'modification'
  - subject.base contains 'distribution'
  - subject.base contains 'details'
  - subject.base matches 'revis(?:ed|ion)'
  - subject.base matches 'amend(?:ed|ment)'
  - subject.base matches 'update(?:d| to)'
  - subject.base contains 'plan'
  - subject.base contains 'notification'
all of:
- length(attachments) > 0
- length(attachments) ≤ 3
any of attachments where all hold:
- .file_extension in ('doc', 'docx', 'docm', 'pdf', 'pptx')
- any of:
  - .file_name contains 'salary'
  - .file_name contains 'compensation'
  - .file_name matches '\\bpay(?:roll|\\b)'
  - .file_name contains 'bonus'
  - .file_name contains 'incentive'
  - .file_name contains 'merit\\b'
  - .file_name contains 'handbook'
  - .file_name contains 'benefits'
  - .file_name matches 'empl[o0]yment'
- any of:
  - .file_name contains 'review'
  - .file_name contains 'evaluation'
  - .file_name matches 'eval\\b'
  - .file_name contains 'assessment'
  - .file_name contains 'appraisal'
  - .file_name contains 'feedback'
  - .file_name contains 'performance'
  - .file_name contains 'adjustment'
  - .file_name contains 'increase'
  - .file_name contains 'increment'
  - .file_name contains 'raise'
  - .file_name contains 'change'
  - .file_name contains 'modification'
  - .file_name contains 'distribution'
  - .file_name contains 'statement'
  - .file_name matches 'revis(?:ed|ion)'
  - .file_name matches 'amend(?:ed|ment)'
  - .file_name matches 'adjust(?:ed|ment)'
  - .file_name matches 'update(?:d| to)'
  - .file_name matches '(January|February|March|April|May|June|July|August|September|October|November|December)\\s20[2,3]{1}\\d{1}'
  - .file_name contains 'contract'
  - any of recipients.to where all hold:
    
    strings.icontains(.file_name)
    .email.domain.valid
not:
- all of:
  - sender.email.domain.root_domain in $high_trust_sender_root_domains
  - coalesce(headers.auth_summary.dmarc.pass)

Inspects: attachments[].file_extension, attachments[].file_name, headers.auth_summary.dmarc.pass, recipients.to, recipients.to[].email.domain.valid, recipients.to[].email.email, sender.email.domain.root_domain, subject.base, type.inbound. Sensors: regex.icontains, strings.icontains. Reference lists: $high_trust_sender_root_domains.

Indicators matched (44)

Field	Match	Value
`strings.icontains`	substring	`salary`
`regex.icontains`	regex	`\bpay(?:out\|roll\|\b)`
`strings.icontains`	substring	`remuneration`
`strings.icontains`	substring	`bonus`
`strings.icontains`	substring	`incentive`
`strings.icontains`	substring	`merit\b`
`strings.icontains`	substring	`handbook`
`strings.icontains`	substring	`benefits`
`strings.icontains`	substring	`earnings`
`strings.icontains`	substring	`contract`
`regex.icontains`	regex	`empl[o0]yment`
`strings.icontains`	substring	`review`

32 more

`strings.icontains`	substring	`breakdown`
`strings.icontains`	substring	`Access Your`
`strings.icontains`	substring	`evaluation`
`regex.icontains`	regex	`eval\b`
`strings.icontains`	substring	`assessment`
`strings.icontains`	substring	`appraisal`
`strings.icontains`	substring	`feedback`
`strings.icontains`	substring	`performance`
`strings.icontains`	substring	`adjustment`
`strings.icontains`	substring	`qualification`
`strings.icontains`	substring	`increase`
`strings.icontains`	substring	`raise`
`strings.icontains`	substring	`change`
`strings.icontains`	substring	`modification`
`strings.icontains`	substring	`distribution`
`strings.icontains`	substring	`details`
`regex.icontains`	regex	`revis(?:ed\|ion)`
`regex.icontains`	regex	`amend(?:ed\|ment)`
`regex.icontains`	regex	`update(?:d\| to)`
`strings.icontains`	substring	`plan`
`strings.icontains`	substring	`notification`
`attachments[].file_extension`	member	`doc`
`attachments[].file_extension`	member	`docx`
`attachments[].file_extension`	member	`docm`
`attachments[].file_extension`	member	`pdf`
`attachments[].file_extension`	member	`pptx`
`strings.icontains`	substring	`compensation`
`regex.icontains`	regex	`\bpay(?:roll\|\b)`
`strings.icontains`	substring	`increment`
`strings.icontains`	substring	`statement`
`regex.icontains`	regex	`adjust(?:ed\|ment)`
`regex.icontains`	regex	`(January\|February\|March\|April\|May\|June\|July\|August\|September\|October\|November\|December)\s20[2,3]{1}\d{1}`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)