YARA Rules

Below is a list of common use cases for YARA rules. Each rule can be customized and used in your PhishER platform. For more information about writing YARA rules, please visit our How to Write YARA Rules article or YARA Rules video.

Jump to:
NOT Present Rule
CEO Fraud Rule
Attachments Rule
Automated Software Emails Rule
KnowBe4 Training Emails Rule
Internal Sender Rule
Regular Expressions Table

NOT Present Rule

If you would like to create a YARA rule that detects if an item is not present in a selected target (click to view), it's important to include the special variable filesize in your rule's condition. See the example below:

(Click on the rule to open the YARA_Rules.txt file in a new window)

By adding the filesize variable to your condition, you're checking to see if the target you selected to scan is empty. This is helpful if you receive an email with a plain text body and an HTML body, as one part may be empty while the other contains your string. In this scenario, the email could falsely match the rule if the filesize variable is not included.

Back to top

CEO Fraud Rule

If you would like to create a YARA rule that helps identify potential CEO Fraud attempts, you can use the example rule below:

(Click on the rule to open the YARA_Rules.txt file in a new window)

If you decide to use this rule, be sure to replace all of the highlighted text with your CEO's information:

• From Email Address

  /From:.{0,20}\<yourCEO@yourDomain.com\>/

• From Name

  /From:.{0,20}yourCEO.{0,20}<.{5,100}>/

• From Name AND From Email Address

  /From:.{0,20}yourCEO.{0,20}\<yourCEO@yourDomain.com\>/

• Reply-To Email Address

   /Reply-To:.{0,20}\<yourCEO@yourDomain.com\>/

• Reply-To Name

   /Reply-To:.{0,20}yourCEO.{0,20}\</

• Reply-To Name AND Reply-To Email Address

  /Reply-To:.{0,20}yourCEO.{0,20}\<yourCEO@yourDomain.com\>/

Back to top

Attachments Rule

If you would like to create a YARA rule that detects if any type of attachment is included in an email, you can use the example rule below:

(Click on the rule to open the YARA_Rules.txt file in a new window)

Keep in mind, this rule does not detect specific attachment types. If you would like to write an attachment-type-specific rule, you can follow the format of the rule below:

Depending on what you want to detect, you can customize this rule by adding or removing different attachment types.

Back to top

Automated Software Emails Rule

If you would like to create a YARA rule that detects automated software emails, you can use the example rule below:

(Click on the rule to open the YARA_Rules.txt file in a new window)

If you decide to use this rule, be sure to replace all of the highlighted text with the name of a software application your organization uses or is likely to receive an email from. Be aware, this rule may flag legitimate emails because it looks for the highlighted words in the from address or the subject line of an email.

Back to top

KnowBe4 Training Emails Rule

If you would like to create a YARA rule that detects all KnowBe4 Training emails, you can use the example rule below:

(Click on the rule to open the YARA_Rules.txt file in a new window)

Back to top

Internal Sender Rule

If you would like to create a YARA rule that identifies any email coming from your domain that is not a spoofed email, you can use the example rule below:

(Click on the rule to open the YARA_Rules.txt file in a new window)

If you decide to use this rule, note that the email will also have to have a matching sender domain in the headers and pass SPF. This rule will miss tagging any emails that come from your domain that do not pass SPF or emails without SPF records. If you would like to tag the types of emails mentioned, remove the $d string and potentially the $c string. 

Back to top

Regular Expressions Table

Below is a condensed list of commonly used regular expressions that are recognized by the YARA compiler. For more information about regular expressions, visit here.

Back to top