From 0ca3674def8b791782643d80486e2866e4a8896e Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Wed, 13 Nov 2024 23:02:16 +0000 Subject: [PATCH] Sync from PR#2120 Update credential_phishing_one_drive_impersonation.yml by @morriscode https://github.com/sublime-security/sublime-rules/pull/2120 Source SHA d42a67ee37c90748d1fe99dcf62c5047bbaf8973 Triggered by @morriscode --- ...ntial_phishing_one_drive_impersonation.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 detection-rules/credential_phishing_one_drive_impersonation.yml diff --git a/detection-rules/credential_phishing_one_drive_impersonation.yml b/detection-rules/credential_phishing_one_drive_impersonation.yml new file mode 100644 index 00000000000..884e20f9011 --- /dev/null +++ b/detection-rules/credential_phishing_one_drive_impersonation.yml @@ -0,0 +1,19 @@ +name: "Credential phishing: Onedrive impersonation" +description: "This rule detects messages impersonating Microsoft's OneDrive service with medium to high credential theft language in the current thread. The subject is inspected for one drive language, with additional checks for free_subdomain hosted links, additional suspicious subject language or suspicious display text language." +type: "rule" +severity: "high" +source: "type.inbound\n// one drive is found in the sender display name or sender local part\nand (\n (\n regex.icontains(sender.display_name, '[0o]ne\\s?dr[il1]ve')\n or regex.icontains(sender.email.local_part, '[0o]ne\\s?dr[il1]ve')\n or 0 < strings.ilevenshtein(strings.replace_confusables(sender.display_name),\n \"one?drive\"\n ) < 2\n )\n or regex.imatch(body.current_thread.text, '[0o]ne\\s?dr[il1]ve.*')\n // or one drive is in the subject with a freefile host, additional suspicious language, or suspicious display text\n or (\n regex.icontains(strings.replace_confusables(subject.subject),\n '[0o]ne\\s?dr[il1]ve'\n )\n and (\n any(body.links,\n .href_url.domain.root_domain in $free_subdomain_hosts\n and .href_url.domain.subdomain is not null\n and .href_url.domain.subdomain != \"www\"\n )\n or regex.contains(subject.subject, '(shared.{0,30}document)')\n or any(body.links,\n regex.icontains(.display_text,\n \"((view|show|access).(?:report|document)|review doc|view doc|view.attached)\"\n )\n )\n )\n )\n)\n\n// and body language is med/high confidence cred theft\nand any(ml.nlu_classifier(body.current_thread.text).intents,\n .name == \"cred_theft\" and .confidence in (\"medium\", \"high\")\n)\nand length(body.links) < 10\nand sender.email.domain.root_domain not in (\n \"bing.com\",\n \"microsoft.com\",\n \"microsoftonline.com\",\n \"microsoftsupport.com\",\n \"microsoft365.com\",\n \"office.com\",\n \"onedrive.com\",\n \"sharepointonline.com\",\n \"yammer.com\",\n)\n\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and not headers.auth_summary.dmarc.pass\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n\n// excludes docusign senders that contain \"via\" in the display name \nand not (\n any(headers.hops,\n any(.fields,\n .name == \"X-Api-Host\" and strings.ends_with(.value, \"docusign.net\")\n )\n )\n and strings.contains(sender.display_name, \"via\")\n)\nand not profile.by_sender().solicited\nand not profile.by_sender().any_false_positives\n" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Free subdomain host" + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Natural Language Understanding" + - "URL analysis" +id: "1f990c92-a6d5-5a0b-9462-ac469a8d556e" +testing_pr: 2120 +testing_sha: d42a67ee37c90748d1fe99dcf62c5047bbaf8973