Merge branch 'main' into patch-66

detection-rules/attachment_any_html_in_archive_unsolicited.yml

@@ -17,9 +17,10 @@ source: |
     not profile.by_sender().solicited
     or (
       profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
     )
   )
+
+  and not profile.by_sender().any_false_positives
 tags:
   - "Attack surface reduction"
 attack_types:

detection-rules/attachment_any_html_new_sender.yml

@@ -13,11 +13,9 @@ source: |
   and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html")
   and (
     profile.by_sender().prevalence in ("new", "outlier")
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
+    or profile.by_sender().any_messages_malicious_or_spam
   )
+  and not profile.by_sender().any_false_positives
 
   // negate highly trusted sender domains unless they fail DMARC authentication
   and

detection-rules/attachment_any_html_unsolicited.yml

@@ -12,10 +12,12 @@ source: |
   type.inbound
   and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html")
   and (
-    not profile.by_sender().any_false_positives
-    and not profile.by_sender().solicited
+    not profile.by_sender().solicited
+    or profile.by_sender().any_messages_malicious_or_spam
   )
 
+  and not profile.by_sender().any_false_positives
+
   // negate highly trusted sender domains unless they fail DMARC authentication
   and
   (

detection-rules/attachment_disallowed_file_type_in_archive.yml

@@ -197,11 +197,10 @@ source: |
   )
   and (
     profile.by_sender().prevalence in ("new", "outlier")
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
+    or profile.by_sender().any_messages_malicious_or_spam
   )
+  and not profile.by_sender().any_false_positives
+  
 tags:
   - "Attack surface reduction"
 attack_types:

detection-rules/attachment_docusign_image_suspicious_links.yml

@@ -26,11 +26,13 @@ source: |
           )
   )
   and (
-    profile.by_sender().prevalence in ("new", "outlier")
+    (
+      not profile.by_sender().solicited
+      and profile.by_sender().prevalence in ("new", "outlier")
+    )
     or (
       profile.by_sender().any_messages_malicious_or_spam
       and not profile.by_sender().any_false_positives
-
     )
   )
 attack_types:

detection-rules/attachment_eml_cred_theft.yml

@@ -8,23 +8,35 @@ source: |
   and length(attachments) == 1
   and any(attachments,
           .content_type == "message/rfc822"
-          and any(file.explode(.),
-                  any(.scan.url.urls,
+          and (
+            any(file.explode(.),
+                any(.scan.url.urls,
+                    (
                       (
                         .domain.root_domain in $free_subdomain_hosts
                         or .domain.root_domain in ("sharepoint.com")
                         or .domain.root_domain not in $tranco_1m
                       )
                       and beta.linkanalysis(.).credphish.disposition == "phishing"
-                  )
+                    )
+                    // or any links in the final dom lead to a suspicious tld
+                    or any(beta.linkanalysis(.).final_dom.links,
+                           beta.linkanalysis(.href_url).effective_url.domain.tld in $suspicious_tlds
+                    )
+                )
+            )
           )
   )
-
+  
   // engaging language in the original body
   and any(ml.nlu_classifier(body.html.display_text).entities, .name == "request")
-
+  
   // exclude bounce backs & read receipts
-  and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
+  and not strings.like(sender.email.local_part,
+                       "*postmaster*",
+                       "*mailer-daemon*",
+                       "*administrator*"
+  )
   and not regex.icontains(subject.subject, "^(undeliverable|read:)")
   and not any(attachments, .content_type == "message/delivery-status")
   // if the "References" is in the body of the message, it's probably a bounce
@@ -36,6 +48,7 @@ source: |
       and not profile.by_sender().any_false_positives
     )
   )
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:

detection-rules/attachment_eml_with_html_attachment.yml

@@ -41,15 +41,14 @@ source: |
   // if the "References" is in the body of the message, it's probably a bounce
   and not any(headers.references, strings.contains(body.html.display_text, .))
   and (
-    not profile.by_sender().solicited
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
+    profile.by_sender().prevalence in ("new", "outlier")
+    or profile.by_sender().any_messages_malicious_or_spam
   )
+  and not profile.by_sender().any_false_positives
 tags:
   - "Attack surface reduction"
 attack_types:
+
   - "Credential Phishing"
   - "Malware/Ransomware"
 tactics_and_techniques:

detection-rules/attachment_js_file_execution.yml

@@ -17,11 +17,10 @@ source: |
   )
   and (
     profile.by_sender().prevalence in ("new", "outlier")
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
+    or profile.by_sender().any_messages_malicious_or_spam
   )
+  and not profile.by_sender().any_false_positives
+  
 tags:
   - "Attack surface reduction"
 attack_types:

detection-rules/body_business_email_compromise_unsolicited.yml

@@ -22,8 +22,8 @@ source: |
     ),
     (
       // SPF failure
-      any(distinct(headers.hops, .received_spf.verdict is not null),
-          strings.ilike(.received_spf.verdict, "*fail")
+      any(distinct(headers.hops, .authentication_results.spf is not null),
+          strings.ilike(.authentication_results.spf, "*fail")
       )
     ),
   )

detection-rules/impersonation_blockchain.yml

@@ -11,8 +11,8 @@ source: |
     or strings.ilike(sender.email.domain.domain, '*blockchain.com*')
     or any(body.links, strings.ilevenshtein(.href_url.domain.root_domain, 'blockchain') == 1)
   )
-  and any(distinct(headers.hops, .received_spf.verdict is not null),
-          strings.like(.received_spf.verdict, "*fail")
+  and any(distinct(headers.hops, .authentication_results.spf is not null),
+          strings.like(.authentication_results.spf, "*fail")
   )
   and sender.email.domain.root_domain not in~ (
     'blockchain.com',

detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml

@@ -9,7 +9,10 @@ severity: "medium"
 source: |
   type.inbound
   and (
-    profile.by_sender().prevalence in ("new", "outlier")
+    (
+      profile.by_sender().prevalence in ("new", "outlier")
+      and not profile.by_sender().solicited
+    )
     or (
       profile.by_sender().any_messages_malicious_or_spam
       and not profile.by_sender().any_false_positives

detection-rules/link_credential_phishing_voicemail_language.yml

@@ -39,7 +39,7 @@ source: |
         any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld))
       ),
       (
-        any([sender.display_name, subject.subject, body.current_thread.text],
+        any([sender.display_name, subject.subject],
             regex.contains(.,
                            '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
             )

detection-rules/link_google_translate.yml

@@ -13,11 +13,10 @@ source: |
   and any(body.links, "google_translate_open_redirect" in .href_url.rewrite.encoders)
   and (
     not profile.by_sender().solicited
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
+    or profile.by_sender().any_messages_malicious_or_spam
   )
+
+  and not profile.by_sender().any_false_positives
 tags:
   - "Attack surface reduction"
 attack_types:

detection-rules/link_new_domain_in_link_first_time_sender.yml

@@ -9,11 +9,9 @@ source: |
   and any(body.links, beta.whois(.href_url.domain).days_old <= 10)
   and (
     profile.by_sender().prevalence in ("new", "outlier")
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
+    or profile.by_sender().any_messages_malicious_or_spam
   )
+  and not profile.by_sender().any_false_positives
 tags:
   - "Attack surface reduction"
 attack_types:

detection-rules/link_quickbooks_image_lure_suspicious_link.yml

@@ -17,11 +17,11 @@ source: |
       or body.current_thread.text is null
     )
     or (
-      length(body.current_thread.text) < 900
+      length(body.current_thread.text) < 1500
       // or body is most likely all warning banner (text contains the sender and common warning banner language)
       and (
         regex.icontains(body.current_thread.text,
-                        'caution|confidentiality notice|warning'
+                        'caution|confidentiality notice|warning|disclaimer'
         )
       )
     )
@@ -41,6 +41,7 @@ source: |
               "hubspotlinks.com",
               "mandrillapp.com",
               "sendgrid.net",
+              "naylorcampaigns.com",
               "rs6.net"
             )
           )
@@ -80,6 +81,7 @@ source: |
     )
     or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
+
   
 attack_types:
   - "Credential Phishing"

detection-rules/recipients_undisclosed_free_subdomain_host.yml

@@ -23,11 +23,10 @@ source: |
   )
   and (
     profile.by_sender().prevalence in ("new", "outlier")
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
+    or profile.by_sender().any_messages_malicious_or_spam
   )
+  and not profile.by_sender().any_false_positives
+  
 tags:
   - "Attack surface reduction"
 tactics_and_techniques:

detection-rules/sender_new_from_domain_first_time_sender.yml

@@ -8,11 +8,10 @@ source: |
   and beta.whois(sender.email.domain).days_old <= 10
   and (
     profile.by_sender().prevalence in ("new", "outlier")
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
+    or profile.by_sender().any_messages_malicious_or_spam
   )
+  and not profile.by_sender().any_false_positives
+  
 tags:
   - "Attack surface reduction"
 detection_methods:

detection-rules/spoofable_internal_domain_suspicious_signals.yml

@@ -22,7 +22,7 @@ source: |
           .authentication_results.dmarc_details.from.domain in $org_domains
 
           // internal domain is spoofable
-          and .authentication_results.dmarc_details.verdict == "none"
+          and .authentication_results.dmarc == "none"
           and .authentication_results.spf == "none"
           and .authentication_results.compauth.verdict not in ("pass", "softpass")
   )

detection-rules/suspicious_request_for_quote_or_purchase.yml

@@ -46,6 +46,21 @@ source: |
       )
     )
   )
+
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and
+  (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+
 attack_types:
   - "BEC/Fraud"
 tactics_and_techniques:

detection-rules/vip_impersonation_attack_surface_reduction.yml

@@ -26,16 +26,15 @@ source: |
     or (
       profile.by_sender().any_messages_malicious_or_spam
       and not profile.by_sender().any_false_positives
-    )
   )
 
   and (
     not profile.by_sender().solicited
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
+    or profile.by_sender().any_messages_malicious_or_spam
     )
   )
+
+  and not profile.by_sender().any_false_positives
 tags:
   - "Attack surface reduction"
 attack_types:

insights/authentication/spf_any_fail.yml

@@ -1,7 +1,7 @@
 name: "SPF: Fail"
 type: "query"
 source: |
-  any(distinct(headers.hops, .received_spf.verdict is not null), strings.ilike(.received_spf.verdict, "*fail"))
+  any(distinct(headers.hops, .authentication_results.spf is not null), strings.ilike(.authentication_results.spf, "*fail"))
 severity: "medium"
 tags:
   - "Sender authentication"

signals/authentication/authentication_spf_error.yml

@@ -1,4 +1,4 @@
 name: "Authentication: SPF Error"
 type: "query"
 source: |
-  any(distinct(headers.hops, .received_spf.verdict is not null), strings.ilike(.received_spf.verdict, "*error"))
+  any(distinct(headers.hops, .authentication_results.spf is not null), strings.ilike(.authentication_results.spf, "*error"))

signals/authentication/authentication_spf_failure.yml

@@ -1,4 +1,4 @@
 name: "Authentication: SPF Failure"
 type: "query"
 source: |
-  any(distinct(headers.hops, .received_spf.verdict is not null), strings.ilike(.received_spf.verdict, "*fail"))
+  any(distinct(headers.hops, .authentication_results.spf is not null), strings.ilike(.authentication_results.spf, "*fail"))