Skip to content

Commit

Permalink
Merge branch 'main' into morriscode-patch-14
Browse files Browse the repository at this point in the history
  • Loading branch information
morriscode authored Dec 12, 2023
2 parents 70130c4 + 965238c commit 136820d
Show file tree
Hide file tree
Showing 24 changed files with 541 additions and 63 deletions.
5 changes: 5 additions & 0 deletions .github/workflows/rule-validate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@ jobs:
run: |
! /bin/sh -c 'ls **/*.yaml'
- name: Verify no .yml files exist in the top directory
run: |
! /bin/sh -c 'ls *.yml'
- name: Commit & Push Results, if needed
run: |
rm response.txt
Expand Down
14 changes: 14 additions & 0 deletions detection-rules/attachment_adobe_image_lure_qr_code.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ source: |
"adobeprojectm.com",
"adoberesources.net",
"adobesc.com",
"adobesign.com",
"adobestock.com",
"createjs.com",
"licensingstack.com",
Expand All @@ -90,6 +91,19 @@ source: |
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
Expand Down
10 changes: 8 additions & 2 deletions detection-rules/attachment_dropbox_image_suspicious_links.yml
Original file line number Diff line number Diff line change
@@ -1,18 +1,24 @@
name: "Attachment: Dropbox image lure with no Dropbox domains in links"
description: "Detects Dropbox phishing emails with no dropbox links with image attachments from first time sender."
description: "Detects Dropbox phishing emails with no Dropbox links with image attachments from first time sender."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and any(body.links, not strings.ilike(.href_url.domain.root_domain, "dropbox.*"))
and any(body.links,
not strings.ilike(.href_url.domain.root_domain, "dropbox.*")
)
and any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
strings.ilike(.scan.ocr.raw, "*dropbox*")
and strings.ilike(.scan.ocr.raw, "*review*", "*sign*")
)
)
and (
length(headers.references) == 0
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
Expand Down
53 changes: 53 additions & 0 deletions detection-rules/attachment_fake_attachment_image.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
name: "Attachment: Fake attachment image lure"
description: |
Message body (or attached message body) contains a image faking an Outlook attachment button. The image contains OCR entities that are suspicious.
type: "rule"
severity: "medium"
source: |
type.inbound
and (
// fake file attachment preview in original email
any(attachments,
.file_type in $file_types_images
and .size < 5000
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name in~ ("financial", "urgency")
)
)
and any(attachments,
.file_type in $file_types_images
and any(ml.logo_detect(.).brands, .name == "FakeAttachment")
)
)
// fake file attachment preview in attached EML
or any(attachments,
.content_type == "message/rfc822"
and any(file.parse_eml(.).attachments,
.file_type in $file_types_images
and .size < 5000
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name in~ ("financial", "urgency")
)
)
)
)
)
tags:
- "Suspicious attachment"
- "Suspicious content"
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Image as content"
- "Social engineering"
detection_methods:
- "EML analysis"
- "File analysis"
- "Natural Language Understanding"
- "Optical Character Recognition"
id: "96b8b285-2116-5e45-b0ca-57b81dc87b94"
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ source: |
any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft" and .confidence != "low")
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down
16 changes: 11 additions & 5 deletions detection-rules/body_extortion.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,12 @@ severity: "low"
source: |
type.inbound
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "extortion" and .confidence == "high"
)
and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial")
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "extortion" and .confidence == "high"
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "financial"
)
)
and (
(
Expand All @@ -22,8 +24,12 @@ source: |
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
)
// many extortion emails spoof sender domains and fail sender authentication
or any(headers.hops, .authentication_results.dmarc == "fail")
or any(headers.hops,
.authentication_results.dmarc == "fail"
or .authentication_results.compauth.verdict not in ("pass", "softpass")
)
)
attack_types:
- "Extortion"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
name: "Body: Microsoft logo or Suspicious Language and Bing open redirect"
name: "Body: Microsoft logo or Suspicious Language and an open redirect"
description: |
Email contains a Microsoft logo or suspicious terms and use of the Bing open redirect. This has been exploited in the wild to impersonate Microsoft.
type: "rule"
severity: "high"
source: |
type.inbound
// Microsoft logo
and (
any(attachments,
Expand Down Expand Up @@ -42,9 +42,11 @@ source: |
)
)
)
// Bing redirect
and any(body.links, .href_url.domain.root_domain == 'bing.com' and .href_url.path =~ '/ck/a')
// open redirect
and any(body.links,
any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
)
and sender.email.domain.root_domain not in $org_domains
and sender.email.domain.root_domain not in (
"bing.com",
Expand All @@ -57,6 +59,7 @@ source: |
"sharepointonline.com",
"yammer.com"
)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
Expand Down
Loading

0 comments on commit 136820d

Please sign in to comment.