Volatility3 MCP Server

/* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule Fake_it_maintenance_bulletin : mail { meta: Author = "Tyler Linne <@InfoSecTyler>" Description ="Rule to prevent against known phishing campaign targeting American companies using Microsoft Exchange" strings: $eml_1="From:" $eml_2="To:" $eml_3="Subject:" $subject1={49 54 20 53 45 52 56 49 43 45 20 4d 61 69 6e 74 65 6e 61 6e 63 65 20 42 75 6c 6c 65 74 69 6e} //Range is for varying date of "notification" $subject2={44 45 53 43 52 49 50 54 49 4f 4e 3a 20 53 65 72 76 65 72 20 55 70 67 72 61 64 65 20 4d 61 69 6e 74 65 6e 61 6e 63 65} //Range is for server name varriation $body1="Message prompted from IT Helpdesk Support" nocase $body2="We are currently undergoing server maintenance upgrade" nocase $body3="Upgrade is to improve our security and new mail experience" nocase $body4="As an active Outlook user, you are kindly instructed to upgrade your mail account by Logging-in the below link" nocase $body5="Sign in to Access Upgrade" nocase $body6="Our goal is to provide excellent customer service" nocase $body7="Thanks,/n OWA - IT Helpdesk Service" nocase condition: all of ($eml_*)and 1 of ($subject*) and 4 of ($body*) }