From 0c8af756c1e85844648538aa6b0b2e40a96f8a42 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Tue, 10 Dec 2024 23:59:04 +0000
Subject: [PATCH] Sync from PR#2210

Create infra_abuse_hardbacon.yml by @aidenmitchell
https://github.com/sublime-security/sublime-rules/pull/2210
Source SHA 66eff76a518f360508bc71b32ccf9d9c82978108
Triggered by @aidenmitchell
---
 detection-rules/infra_abuse_hardbacon.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 detection-rules/infra_abuse_hardbacon.yml

diff --git a/detection-rules/infra_abuse_hardbacon.yml b/detection-rules/infra_abuse_hardbacon.yml
new file mode 100644
index 00000000000..1b32a9ac999
--- /dev/null
+++ b/detection-rules/infra_abuse_hardbacon.yml
@@ -0,0 +1,21 @@
+name: "Hardbacon infrastructure abuse"
+description: "Hardbacon is a defunct Canadian budgeting app. Attackers have been observed using their marketing platform to send credential phishing messages."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and sender.email.domain.root_domain in ('hardbacon.com', 'hardbacon.ca')
+  and headers.auth_summary.dmarc.pass
+  and headers.auth_summary.spf.pass
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+id: "5330db42-10d2-5671-bcb2-a99449ac24c2"
+testing_pr: 2210
+testing_sha: 66eff76a518f360508bc71b32ccf9d9c82978108