From b2344cc4177d3fe98c7a7235c9f319b757d11830 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 6 Dec 2023 09:19:45 -0500 Subject: [PATCH 01/28] Update body_extortion.yml (#1081) --- detection-rules/body_extortion.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/detection-rules/body_extortion.yml b/detection-rules/body_extortion.yml index 3beca403221..acf105b4ff4 100644 --- a/detection-rules/body_extortion.yml +++ b/detection-rules/body_extortion.yml @@ -8,10 +8,12 @@ severity: "low" source: | type.inbound and ( - any(ml.nlu_classifier(body.current_thread.text).intents, - .name == "extortion" and .confidence == "high" - ) - and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial") + any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "extortion" and .confidence == "high" + ) + and any(ml.nlu_classifier(body.current_thread.text).entities, + .name == "financial" + ) ) and ( ( @@ -22,8 +24,12 @@ source: | sender.email.domain.root_domain not in $free_email_providers and sender.email.domain.domain not in $sender_domains ) + // many extortion emails spoof sender domains and fail sender authentication - or any(headers.hops, .authentication_results.dmarc == "fail") + or any(headers.hops, + .authentication_results.dmarc == "fail" + or .authentication_results.compauth.verdict not in ("pass", "softpass") + ) ) attack_types: - "Extortion" From 3bd778f4459719b75564bc5ce2ca8daabb8adef6 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 6 Dec 2023 09:32:51 -0500 Subject: [PATCH 02/28] Update link_credential_phishing_intent_and_other_indicators.yml (#1088) --- .../link_credential_phishing_intent_and_other_indicators.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml index 2545aed1135..38e07d30fde 100644 --- a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml +++ b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml @@ -232,7 +232,7 @@ source: | "Information", "Invoice", '\bIT\b', - "Legal", + '\bLegal\b', "Lottery", "Management", "Manager", From cbe258dc1735f283c3ec65f8a4dcf46d18dd50c1 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 6 Dec 2023 10:18:39 -0500 Subject: [PATCH 03/28] New Rule: QR code with phishing disposition in img or pdf (#1082) Co-authored-by: Josh Kamdjou --- ...n_img_or_pdf_with_phishing_disposition.yml | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 link_qr_code_in_img_or_pdf_with_phishing_disposition.yml diff --git a/link_qr_code_in_img_or_pdf_with_phishing_disposition.yml b/link_qr_code_in_img_or_pdf_with_phishing_disposition.yml new file mode 100644 index 00000000000..a8e31922d12 --- /dev/null +++ b/link_qr_code_in_img_or_pdf_with_phishing_disposition.yml @@ -0,0 +1,51 @@ +name: "Link: QR code with phishing disposition in img or pdf" +description: "This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains." +type: "rule" +severity: "high" +source: | + type.inbound + and length(attachments) < 10 + and any(attachments, + (.file_type in $file_types_images or .file_type == "pdf") + and any(file.explode(.), + .scan.qr.type == "url" + + // linkanalysis phishing disposition + and any([beta.linkanalysis(.scan.qr.url)], + .credphish.disposition == "phishing" + ) + and .scan.qr.url.domain.root_domain not in $org_domains + ) + ) + and ( + not profile.by_sender().solicited + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + and not profile.by_sender().any_false_positives +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "QR code" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Computer Vision" + - "QR code analysis" + - "Sender analysis" + - "URL analysis" From 88f27eecfb5502f78afa1eb7ac4a5dcda54726db Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Wed, 6 Dec 2023 12:49:37 -0700 Subject: [PATCH 04/28] Check for YAML in the root directory (#1094) --- .github/workflows/rule-validate.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/rule-validate.yml b/.github/workflows/rule-validate.yml index c98120c8aba..f12c18cbe77 100644 --- a/.github/workflows/rule-validate.yml +++ b/.github/workflows/rule-validate.yml @@ -74,6 +74,11 @@ jobs: run: | ! /bin/sh -c 'ls **/*.yaml' + + - name: Verify no .yml files exist in the top directory + run: | + ! /bin/sh -c 'ls *.yaml' + - name: Commit & Push Results, if needed run: | rm response.txt From 5c6f4a0a60f6ffa71d411265210a5de7df9f32e6 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Wed, 6 Dec 2023 12:58:42 -0700 Subject: [PATCH 05/28] Fix CI for top level files YAML -> YML (#1095) --- .github/workflows/rule-validate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rule-validate.yml b/.github/workflows/rule-validate.yml index f12c18cbe77..8e19410e188 100644 --- a/.github/workflows/rule-validate.yml +++ b/.github/workflows/rule-validate.yml @@ -77,7 +77,7 @@ jobs: - name: Verify no .yml files exist in the top directory run: | - ! /bin/sh -c 'ls *.yaml' + ! /bin/sh -c 'ls *.yml' - name: Commit & Push Results, if needed run: | From b335e466ae9bf3062697170ab8b6cf3ab05b17c1 Mon Sep 17 00:00:00 2001 From: Cameron Dunn Date: Wed, 6 Dec 2023 12:13:06 -0800 Subject: [PATCH 06/28] Move rule to detection-rules (#1092) Co-authored-by: ID Generator --- .../link_qr_code_in_img_or_pdf_with_phishing_disposition.yml | 1 + 1 file changed, 1 insertion(+) rename link_qr_code_in_img_or_pdf_with_phishing_disposition.yml => detection-rules/link_qr_code_in_img_or_pdf_with_phishing_disposition.yml (97%) diff --git a/link_qr_code_in_img_or_pdf_with_phishing_disposition.yml b/detection-rules/link_qr_code_in_img_or_pdf_with_phishing_disposition.yml similarity index 97% rename from link_qr_code_in_img_or_pdf_with_phishing_disposition.yml rename to detection-rules/link_qr_code_in_img_or_pdf_with_phishing_disposition.yml index a8e31922d12..7159303f39e 100644 --- a/link_qr_code_in_img_or_pdf_with_phishing_disposition.yml +++ b/detection-rules/link_qr_code_in_img_or_pdf_with_phishing_disposition.yml @@ -49,3 +49,4 @@ detection_methods: - "QR code analysis" - "Sender analysis" - "URL analysis" +id: "8e8949f6-3561-513f-8cde-254124e10cde" From cefe06fff02cfae0547eeaaf990983a7b3f142ec Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 6 Dec 2023 16:40:46 -0500 Subject: [PATCH 07/28] Update impersonation_amazon.yml (#1100) --- detection-rules/impersonation_amazon.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index fefefa60530..cb0e6d41a2f 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -41,6 +41,7 @@ source: | 'amazon.it', 'amazon.in', 'amazon.lu', + 'amazon.nl', 'amazon.com.au', 'amazonsellerservices.com', 'amazon.ae', From 362f2d53ea8cf0284ed0a286b4a28a86aaa2cb59 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 6 Dec 2023 16:45:50 -0500 Subject: [PATCH 08/28] Update impersonation_barracuda.yml (#1098) --- detection-rules/impersonation_barracuda.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/detection-rules/impersonation_barracuda.yml b/detection-rules/impersonation_barracuda.yml index 76987ffe608..90b0961efcf 100644 --- a/detection-rules/impersonation_barracuda.yml +++ b/detection-rules/impersonation_barracuda.yml @@ -15,10 +15,13 @@ source: | 'barracudamsp.com', 'barracudanetworks.com', 'netsuite.com', - + // hockey team 'sharkssports.net', - 'sjbarracuda.com' + 'sjbarracuda.com', + + // Barracuda Barcatering + 'barracuda-barcatering.de' ) and ( profile.by_sender().prevalence in ("new", "outlier") @@ -27,6 +30,7 @@ source: | and not profile.by_sender().any_false_positives ) ) + attack_types: - "Credential Phishing" tactics_and_techniques: From f62ddf05ec36cf38283e1af36da7e01c475c2350 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 6 Dec 2023 16:49:55 -0500 Subject: [PATCH 09/28] Update impersonation_human_resources.yml (#1096) --- detection-rules/impersonation_human_resources.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml index 316da757473..0cc682a0cc1 100644 --- a/detection-rules/impersonation_human_resources.yml +++ b/detection-rules/impersonation_human_resources.yml @@ -8,7 +8,12 @@ source: | and regex.icontains(sender.display_name, '(\bh\W?r\W?\b|human resources|hr depart(ment)?|employee relations)' ) - + + // negate replies + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) // Negate common marketing mailers and not regex.icontains(sender.display_name, 'HR (Events|Expert)') From dfebf62eab59878e2b90cf21611631468f0b801e Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 6 Dec 2023 16:59:29 -0500 Subject: [PATCH 10/28] Update google_drive_abuse_credential_phishing.yml (#1090) Co-authored-by: Josh Kamdjou Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> --- detection-rules/google_drive_abuse_credential_phishing.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/detection-rules/google_drive_abuse_credential_phishing.yml b/detection-rules/google_drive_abuse_credential_phishing.yml index a272cbf32b5..d41b2a0233c 100644 --- a/detection-rules/google_drive_abuse_credential_phishing.yml +++ b/detection-rules/google_drive_abuse_credential_phishing.yml @@ -26,8 +26,13 @@ source: | ) ) and not beta.linkanalysis(..).effective_url.domain.domain == "accounts.google.com" + // standard Google Docs error + and not strings.contains(.scan.ocr.raw, + "encountered an error. Please try reloading this page" + ) ) ) + attack_types: - "Credential Phishing" tactics_and_techniques: From 5ea57fd521035f35229f19234205b236974ed41d Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 6 Dec 2023 17:07:54 -0500 Subject: [PATCH 11/28] Update attachment_free_subdomain_suspicious_link_language.yml (#1091) --- .../attachment_free_subdomain_suspicious_link_language.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/detection-rules/attachment_free_subdomain_suspicious_link_language.yml b/detection-rules/attachment_free_subdomain_suspicious_link_language.yml index 628ae4b8c27..a73d9d09772 100644 --- a/detection-rules/attachment_free_subdomain_suspicious_link_language.yml +++ b/detection-rules/attachment_free_subdomain_suspicious_link_language.yml @@ -18,6 +18,8 @@ source: | any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft" and .confidence != "low") ) ) +tags: + - "Attack surface reduction" attack_types: - "Credential Phishing" tactics_and_techniques: From 34f00f5c28cbe11c2273b99eff6b3f124d833f7e Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 6 Dec 2023 17:20:05 -0500 Subject: [PATCH 12/28] Update link_suspicious_message_unscannable_cloudflare.yml (#1093) --- ..._suspicious_message_unscannable_cloudflare.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/detection-rules/link_suspicious_message_unscannable_cloudflare.yml b/detection-rules/link_suspicious_message_unscannable_cloudflare.yml index cb8cb1012f0..b1fa990b2be 100644 --- a/detection-rules/link_suspicious_message_unscannable_cloudflare.yml +++ b/detection-rules/link_suspicious_message_unscannable_cloudflare.yml @@ -5,8 +5,18 @@ severity: "medium" source: | type.inbound and ( // sender domain matches no body domains - length(body.links) > 0 - and all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain) + 0 < length(body.links) < 10 + and all(body.links, + .href_url.domain.root_domain != sender.email.domain.root_domain + ) + ) + + // negate bouncebacks and undeliverables + and not any(attachments, + .content_type in ( + "message/global-delivery-status", + "message/delivery-status" + ) ) // suspicious subject or display name @@ -240,6 +250,7 @@ source: | or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) and not profile.by_sender().any_false_positives + attack_types: - "Credential Phishing" From a88e851dbb15c633680b6b16ae78c3f8eb24b050 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 6 Dec 2023 17:36:14 -0500 Subject: [PATCH 13/28] Update impersonation_microsoft.yml (#1101) --- detection-rules/impersonation_microsoft.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml index 2eb31286c2a..8c465b955e8 100644 --- a/detection-rules/impersonation_microsoft.yml +++ b/detection-rules/impersonation_microsoft.yml @@ -18,11 +18,11 @@ source: | ) or ( // should catch any instance of the word "expired" - strings.ilike(body.html.display_text, "*expir*") - and strings.ilike(body.html.display_text, "*password*") - and strings.ilike(body.html.display_text, "*microsoft*") + strings.ilike(body.current_thread.text, "*expir*") + and strings.ilike(body.current_thread.text, "*password*") + and strings.ilike(body.current_thread.text, "*microsoft*") ) - or regex.icontains(body.html.display_text, ".*reach you.*microsoft teams") + or regex.icontains(body.current_thread.text, ".*reach you.*microsoft teams") or strings.ilike(sender.display_name, '*new activity in Teams*') or subject.subject =~ 'Offline Message in Teams' or strings.ilike(subject.subject, '*Teams Sent A Message') @@ -49,7 +49,7 @@ source: | and not profile.by_sender().any_false_positives ) ) - + // negate highly trusted sender domains unless they fail DMARC authentication and ( From c98d74ceccc862546d03c631d7143a9e62ad0c11 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 6 Dec 2023 19:45:56 -0500 Subject: [PATCH 14/28] Moving rule to discovery: attachment_pdf_embedded_js.yml (#1103) --- .../attachment_pdf_embedded_js.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {detection-rules => discovery-rules}/attachment_pdf_embedded_js.yml (100%) diff --git a/detection-rules/attachment_pdf_embedded_js.yml b/discovery-rules/attachment_pdf_embedded_js.yml similarity index 100% rename from detection-rules/attachment_pdf_embedded_js.yml rename to discovery-rules/attachment_pdf_embedded_js.yml From 85a4b5878555f5012643ce7ef575c523cb4bef20 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 7 Dec 2023 12:40:43 -0500 Subject: [PATCH 15/28] Update google_drive_abuse_credential_phishing.yml (#1107) --- detection-rules/google_drive_abuse_credential_phishing.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/detection-rules/google_drive_abuse_credential_phishing.yml b/detection-rules/google_drive_abuse_credential_phishing.yml index d41b2a0233c..52e2e3bbd2d 100644 --- a/detection-rules/google_drive_abuse_credential_phishing.yml +++ b/detection-rules/google_drive_abuse_credential_phishing.yml @@ -11,6 +11,10 @@ source: | "drive-shares-dm-noreply@google.com", "drive-shares-noreply@google.com" ) + + // malicious observed shares don't include the google "Added you as an editor" phrase. + // allowing user edits to a malicous document could neuter the threat + and not strings.contains(body.current_thread.text, "added you as an editor") and any(body.links, .href_url.domain.domain != "support.google.com" and any(file.explode(beta.linkanalysis(.).screenshot), @@ -19,7 +23,7 @@ source: | .name == "cred_theft" and .confidence in ("medium", "high") ) - or ( + and ( length(ml.logo_detect(beta.linkanalysis(..).screenshot).brands ) > 0 and beta.linkanalysis(..).credphish.disposition == "phishing" From 2030067b3c22cf206b4efe2e86af37ae3c691b72 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 7 Dec 2023 12:44:00 -0500 Subject: [PATCH 16/28] Update disposable_sender_unsolicited.yml (#1102) --- detection-rules/disposable_sender_unsolicited.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/detection-rules/disposable_sender_unsolicited.yml b/detection-rules/disposable_sender_unsolicited.yml index 0da99bbf41f..f41103f60a1 100644 --- a/detection-rules/disposable_sender_unsolicited.yml +++ b/detection-rules/disposable_sender_unsolicited.yml @@ -8,6 +8,8 @@ source: |- type.inbound and sender.email.domain.root_domain in $disposable_email_providers and sender.email.email not in $recipient_emails +tags: + - "Attack surface reduction" detection_methods: - "Sender analysis" id: "5436b3db-3f17-5100-8136-1d03fc221fca" From 40b6f4c474652e6fa9c82fbf213878f29aab1f7a Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 7 Dec 2023 11:04:18 -0800 Subject: [PATCH 17/28] Negating adobesign.com (#1109) --- .../attachment_adobe_image_lure_qr_code.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/detection-rules/attachment_adobe_image_lure_qr_code.yml b/detection-rules/attachment_adobe_image_lure_qr_code.yml index cf1386a987d..a8240b5f819 100644 --- a/detection-rules/attachment_adobe_image_lure_qr_code.yml +++ b/detection-rules/attachment_adobe_image_lure_qr_code.yml @@ -80,6 +80,7 @@ source: | "adobeprojectm.com", "adoberesources.net", "adobesc.com", + "adobesign.com", "adobestock.com", "createjs.com", "licensingstack.com", @@ -90,6 +91,19 @@ source: | ) ) ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) and ( not profile.by_sender().solicited From 5f110d280465e4661d9322c401a7649d422b1c74 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 7 Dec 2023 14:21:36 -0800 Subject: [PATCH 18/28] Update attachment_dropbox_image_suspicious_links.yml (#1112) --- .../attachment_dropbox_image_suspicious_links.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/detection-rules/attachment_dropbox_image_suspicious_links.yml b/detection-rules/attachment_dropbox_image_suspicious_links.yml index 478744466bc..a6df96eb6e4 100644 --- a/detection-rules/attachment_dropbox_image_suspicious_links.yml +++ b/detection-rules/attachment_dropbox_image_suspicious_links.yml @@ -1,11 +1,13 @@ name: "Attachment: Dropbox image lure with no Dropbox domains in links" -description: "Detects Dropbox phishing emails with no dropbox links with image attachments from first time sender." +description: "Detects Dropbox phishing emails with no Dropbox links with image attachments from first time sender." type: "rule" severity: "medium" source: | type.inbound and length(filter(attachments, .file_type not in $file_types_images)) == 0 - and any(body.links, not strings.ilike(.href_url.domain.root_domain, "dropbox.*")) + and any(body.links, + not strings.ilike(.href_url.domain.root_domain, "dropbox.*") + ) and any(attachments, .file_type in $file_types_images and any(file.explode(.), @@ -13,6 +15,10 @@ source: | and strings.ilike(.scan.ocr.raw, "*review*", "*sign*") ) ) + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) and ( profile.by_sender().prevalence in ("new", "outlier") or ( From 4ee2553c35b41006d3714e9607d184f6ab6171ac Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 7 Dec 2023 14:25:37 -0800 Subject: [PATCH 19/28] Restoring rule + adding unsolicited (#1110) --- .../link_content_credential_phishing.yml | 47 +++++++++---------- 1 file changed, 21 insertions(+), 26 deletions(-) diff --git a/detection-rules/link_content_credential_phishing.yml b/detection-rules/link_content_credential_phishing.yml index e89b1aa4ebe..50d1638f1b1 100644 --- a/detection-rules/link_content_credential_phishing.yml +++ b/detection-rules/link_content_credential_phishing.yml @@ -6,32 +6,27 @@ type: "rule" severity: "high" source: | type.inbound - and any(attachments, - ( - // office files - .file_extension in~ $file_extensions_macros - or .file_extension in~ $file_extensions_common_archives - or ( - .file_extension is null - and .file_type == "unknown" - and .content_type == "application/octet-stream" - and .size < 100000 - ) - ) - and ( - any(file.explode(.), - ( - any(.scan.strings.strings, - strings.ilike(., '*URLDownloadToFile*') - ) - and any(.scan.strings.strings, strings.ilike(., '*Auto_Open*')) - ) - or any(.scan.strings.strings, - regex.icontains(., - 'C:\\[A-Za-z]{7}\\[A-Za-z]{7}\\[A-Za-z]{7}' - ) - ) - ) + and ( + any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "cred_theft" and .confidence in ("medium", "high") + ) + // embedded in an image attachment + // note: don't use message_screenshot() for now + // because it's not limited to current_thread and may FP + or any(attachments, + .file_type in $file_types_images + and any(file.explode(.), + any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "cred_theft" and .confidence in ("medium", "high") + ) + ) + ) + ) + and any(body.links, + beta.linkanalysis(., mode="aggressive").credphish.disposition == "phishing" + and beta.linkanalysis(., mode="aggressive").credphish.confidence in ( + "medium", + "high" ) ) and ( From 97ea08ff6823db68d62c5221ad59ec3e5556e663 Mon Sep 17 00:00:00 2001 From: greasy-weasel Date: Mon, 11 Dec 2023 15:56:52 +0000 Subject: [PATCH 20/28] Update impersonation_dhl.yml to add dhltariff.co.uk' (#1115) --- detection-rules/impersonation_dhl.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detection-rules/impersonation_dhl.yml b/detection-rules/impersonation_dhl.yml index 45450a6df52..0d546853ef7 100644 --- a/detection-rules/impersonation_dhl.yml +++ b/detection-rules/impersonation_dhl.yml @@ -25,7 +25,8 @@ source: | 'dhl.fr', 'dhlending.com', 'inmotion.dhl', - 'dhlparcel.nl' + 'dhlparcel.nl', + 'dhltariff.co.uk' ) and ( profile.by_sender().prevalence in ("new", "outlier") From 6489160cfc1fef125185d6648e90a3d7969d7228 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Mon, 11 Dec 2023 09:48:20 -0800 Subject: [PATCH 21/28] Create impersonation_dashlane.yml (#1108) Co-authored-by: ID Generator Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Sam Scholten --- detection-rules/impersonation_dashlane.yml | 41 ++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 detection-rules/impersonation_dashlane.yml diff --git a/detection-rules/impersonation_dashlane.yml b/detection-rules/impersonation_dashlane.yml new file mode 100644 index 00000000000..7c217b54031 --- /dev/null +++ b/detection-rules/impersonation_dashlane.yml @@ -0,0 +1,41 @@ +name: "Brand impersonation: Dashlane" +description: "Impersonation of the password management software Dashlane." +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + regex.icontains(sender.display_name, '\bDashlane\b') + or strings.ilike(sender.email.domain.domain, '*Dashlane*') + ) + and sender.email.domain.root_domain not in~ ('dashlane.com') + and ( + profile.by_sender().prevalence in ("new", "outlier") + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" +id: "9e400937-4e7e-53fe-ad34-8393ab01890e" From df554071718037e3f3fc4d73db8249465cee3365 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Mon, 11 Dec 2023 12:11:25 -0800 Subject: [PATCH 22/28] New Rule (Attachment): Fake attachment image lure (#723) Co-authored-by: Sam Scholten Co-authored-by: ID Generator Co-authored-by: Sam Scholten --- .../attachment_fake_attachment_image.yml | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 detection-rules/attachment_fake_attachment_image.yml diff --git a/detection-rules/attachment_fake_attachment_image.yml b/detection-rules/attachment_fake_attachment_image.yml new file mode 100644 index 00000000000..7d5a91c7882 --- /dev/null +++ b/detection-rules/attachment_fake_attachment_image.yml @@ -0,0 +1,53 @@ +name: "Attachment: Fake attachment image lure" +description: | + Message body (or attached message body) contains a image faking an Outlook attachment button. The image contains OCR entities that are suspicious. +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + // fake file attachment preview in original email + any(attachments, + .file_type in $file_types_images + and .size < 5000 + and any(file.explode(.), + any(ml.nlu_classifier(.scan.ocr.raw).entities, + .name in~ ("financial", "urgency") + ) + ) + ) + or any(attachments, + .file_type in $file_types_images + and any(ml.logo_detect(.).brands, .name == "FakeAttachment") + ) + // fake file attachment preview in attached EML + or any(attachments, + .content_type == "message/rfc822" + and any(file.parse_eml(.).attachments, + .file_type in $file_types_images + and .size < 5000 + and any(file.explode(.), + any(ml.nlu_classifier(.scan.ocr.raw).entities, + .name in~ ("financial", "urgency") + ) + ) + ) + ) + ) + +tags: + - "Suspicious attachment" + - "Suspicious content" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Image as content" + - "Social engineering" +detection_methods: + - "EML analysis" + - "File analysis" + - "Natural Language Understanding" + - "Optical Character Recognition" +id: "96b8b285-2116-5e45-b0ca-57b81dc87b94" From ecf32d98226cef99c8bd86ad404fb2f776c40c23 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 11 Dec 2023 17:00:35 -0500 Subject: [PATCH 23/28] Update inline_image_as_message.yml (#1104) --- detection-rules/inline_image_as_message.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/detection-rules/inline_image_as_message.yml b/detection-rules/inline_image_as_message.yml index 9a46199c0c3..428ee8e078d 100644 --- a/detection-rules/inline_image_as_message.yml +++ b/detection-rules/inline_image_as_message.yml @@ -9,15 +9,16 @@ severity: "low" source: | type.inbound and length(body.html.raw) < 200 + and length(body.links) > 0 and ( - ( - length(body.links) > 0 - - // as of 20220116 there's a link parsing bug with .png inline images, so ignore those - and any(body.links, not strings.ilike(.href_url.url, "*.png")) - ) + // as of 20220116 there's a link parsing bug with .png inline images, so ignore those + any(body.links, not strings.ilike(.href_url.url, "*.png")) + // cid images are treated as attachments, so we're looking for more than 1 - or (length(attachments) > 1 and any(attachments, .file_type not in $file_types_images)) + or ( + length(attachments) > 1 + and any(attachments, .file_type not in $file_types_images) + ) ) and strings.ilike(body.html.raw, "*img*cid*") and ( From 7ab6951ecc1c39b6646382e7adda69382ee4ebb3 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 11 Dec 2023 20:45:23 -0500 Subject: [PATCH 24/28] New Rule: Credential Phishing Suspicious subject with urgent financial (#1071) Co-authored-by: ID Generator Co-authored-by: Josh Kamdjou --- ...uspicious_subject_nlu_financial_urgent.yml | 267 ++++++++++++++++++ 1 file changed, 267 insertions(+) create mode 100644 detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml diff --git a/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml new file mode 100644 index 00000000000..cce6d5299ae --- /dev/null +++ b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml @@ -0,0 +1,267 @@ +name: "Credential Phishing: Suspicious subject with urgent financial request and link" +description: "This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender." +type: "rule" +severity: "medium" +source: | + type.inbound + and 0 < length(body.links) < 5 + + // ignore emails in body + and not all(body.links, .href_url.domain.domain in $free_email_providers) + + and length(body.current_thread.text) < 2000 + and length(subject.subject) < 100 + + // and suspicious subject + and regex.icontains(subject.subject, + // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects_regex.txt + "termination.*notice", + "38417", + ":completed", + "[il1]{2}mit.*ma[il1]{2} ?bo?x", + "[il][il][il]egai[ -]", + "[li][li][li]ega[li] attempt", + "[ng]-?[io]n .*block", + "[ng]-?[io]n .*cancel", + "[ng]-?[io]n .*deactiv", + "[ng]-?[io]n .*disabl", + "action.*required", + "abandon.*package", + "about.your.account", + "acc(ou)?n?t (is )?on ho[li]d", + "acc(ou)?n?t.*terminat", + "acc(oun)?t.*[il1]{2}mitation", + "access.*limitation", + "account (will be )?block", + "account.*de-?activat", + "account.*locked", + "account.*re-verification", + "account.*security", + "account.*suspension", + "account.has.been", + "account.has.expired", + "account.will.be.blocked", + "account v[il]o[li]at", + "activity.*acc(oun)?t", + "almost.full", + "app[li]e.[il]d", + "authenticate.*account", + "been.*suspend", + "clos.*of.*account.*processed", + "confirm.your.account", + "courier.*able", + "deactivation.*in.*progress", + "delivery.*attempt.*failed", + "document.received", + "documented.*shared.*with.*you", + "dropbox.*document", + "e-?ma[il1]+ .{010}suspen", + "e-?ma[il1]{1} user", + "e-?ma[il1]{2} acc", + "e-?ma[il1]{2}.*up.?grade", + "e.?ma[il1]{2}.*server", + "e.?ma[il1]{2}.*suspend", + "email.update", + "faxed you", + "fraud(ulent)?.*charge", + "from.helpdesk", + "fu[il1]{2}.*ma[il1]+[ -]?box", + "has.been.*suspended", + "has.been.limited", + "have.locked", + "he[li]p ?desk upgrade", + "heipdesk", + "i[il]iega[il]", + "ii[il]ega[il]", + "incoming e?mail", + "incoming.*fax", + "lock.*security", + "ma[il1]{1}[ -]?box.*quo", + "ma[il1]{2}[ -]?box.*fu[il1]", + "ma[il1]{2}box.*[il1]{2}mit", + "ma[il1]{2}box stor", + "mail on.?hold", + "mail.*box.*migration", + "mail.*de-?activat", + "mail.update.required", + "mails.*pending", + "messages.*pending", + "missed.*shipping.*notification", + "missed.shipment.notification", + "must.update.your.account", + "new [sl][io]g?[nig][ -]?in from", + "new voice ?-?mail", + "notifications.*pending", + "office.*3.*6.*5.*suspend", + "office365", + "on google docs with you", + "online doc", + "password.*compromised", + "periodic maintenance", + "potential(ly)? unauthorized", + "refund not approved", + "revised.*policy", + "scam", + "scanned.?invoice", + "secured?.update", + "security breach", + "securlty", + "signed.*delivery", + "status of your .{314}? ?delivery", + "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty", + "suspicious.*sign.*[io]n", + "suspicious.activit", + "temporar(il)?y deactivate", + "temporar[il1]{2}y disab[li]ed", + "temporarily.*lock", + "un-?usua[li].activity", + "unable.*deliver", + "unauthorized.*activit", + "unauthorized.device", + "unauthorized.sign.?in", + "unrecognized.*activit", + "unrecognized.sign.?in", + "unrecognized.*activit", + "undelivered message", + "unread.*doc", + "unusual.activity", + "upgrade.*account", + "upgrade.notice", + "urgent message", + "urgent.verification", + "v[il1]o[li1]at[il1]on security", + "va[il1]{1}date.*ma[il1]{2}[ -]?box", + "verification ?-?require", + "verification( )?-?need", + "verify.your?.account", + "web ?-?ma[il1]{2}", + "web[ -]?ma[il1]{2}", + "will.be.suspended", + "your (customer )?account .as", + "your.office.365", + "your.online.access", + + // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt + "account has been limited", + "action required", + "almost full", + "apd notifi cation", + "are you at your desk", + "are you available", + "attached file to docusign", + "banking is temporarily unavailable", + "bankofamerica", + "closing statement invoice", + "completed: docusign", + "de-activation of", + "delivery attempt", + "delivery stopped for shipment", + "detected suspicious", + "detected suspicious actvity", + "docu sign", + "document for you", + "document has been sent to you via docusign", + "document is ready for signature", + "docusign", + "encrypted message", + "failed delivery", + "fedex tracking", + "file was shared", + "freefax", + "fwd: due invoice paid", + "has shared", + "inbox is full", + "invitation to comment", + "invitation to edit", + "invoice due", + "left you a message", + "message from", + "new message", + "new voicemail", + "on desk", + "out of space", + "password reset", + "payment status", + "quick reply", + "re: w-2", + "required", + "required: completed docusign", + "ringcentral", + "scanned image", + "secured files", + "secured pdf", + "security alert", + "new sign-in", + "new sign in", + "sign-in attempt", + "sign in attempt", + "staff review", + "suspicious activity", + "unrecognized login attempt", + "upgrade immediately", + "urgent", + "wants to share", + "w2", + "you have notifications pending", + "your account", + "your amazon order", + "your document settlement", + "your order with amazon", + "your password has been compromised", + ) + + // language attempting to engage + and any(ml.nlu_classifier(body.current_thread.text).entities, + .name == "request" + ) + + // financial request + and any(ml.nlu_classifier(body.current_thread.text).entities, + .name == "financial" + ) + + // urgency request + and any(ml.nlu_classifier(body.current_thread.text).entities, + .name == "urgency" + ) + + // org presence + and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org") + + // not a reply + and ( + not strings.istarts_with(subject.subject, "re:") + and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) + + // the message is unsolicited and no false positives + and ( + not profile.by_sender().solicited + or profile.by_sender().any_messages_malicious_or_spam + ) + and not profile.by_sender().any_false_positives + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Sender analysis" +id: "056464f4-7a16-5f07-ab86-912e0a64ecae" From e77b75a78ec276673464826471d3c3fc619f9889 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 12 Dec 2023 14:46:21 -0500 Subject: [PATCH 25/28] Rename link_freefile_freemail_nlu.yml to link_freefile_freemail_nlu.yml (#1113) --- .../link_freefile_freemail_nlu.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {detection-rules => discovery-rules}/link_freefile_freemail_nlu.yml (100%) diff --git a/detection-rules/link_freefile_freemail_nlu.yml b/discovery-rules/link_freefile_freemail_nlu.yml similarity index 100% rename from detection-rules/link_freefile_freemail_nlu.yml rename to discovery-rules/link_freefile_freemail_nlu.yml From 8e086424f7be0315c468c37c3bbeadab14185155 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 12 Dec 2023 16:12:04 -0500 Subject: [PATCH 26/28] Update impersonation_recipient_domain.yml (#1106) --- detection-rules/impersonation_recipient_domain.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/detection-rules/impersonation_recipient_domain.yml b/detection-rules/impersonation_recipient_domain.yml index 9bc551225ac..4296ed09cd9 100644 --- a/detection-rules/impersonation_recipient_domain.yml +++ b/detection-rules/impersonation_recipient_domain.yml @@ -8,13 +8,13 @@ type: "rule" severity: "medium" source: | type.inbound - + // only 1 To: recipient and length(recipients.to) + length(recipients.bcc) + length(recipients.cc) == 1 and any(recipients.to, // custom domains only sender.email.domain.domain not in $free_email_providers - + // recipient's domain is in the sender's display name and strings.icontains(sender.display_name, .email.domain.root_domain) ) @@ -30,8 +30,8 @@ source: | ) ) - and all(recipients.to, .email.email != sender.email.email) - + and all(recipients.to, .email.domain.root_domain != sender.email.domain.root_domain) + and ( profile.by_sender().prevalence in ("new", "outlier") or ( @@ -39,7 +39,7 @@ source: | and not profile.by_sender().any_false_positives ) ) - + // negate highly trusted sender domains unless they fail DMARC authentication and ( From 76e5bd88107f00434aab0c814ae4b2424be336c5 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Tue, 12 Dec 2023 13:26:45 -0800 Subject: [PATCH 27/28] Update attachment_fake_attachment_image.yml (#1121) --- detection-rules/attachment_fake_attachment_image.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/detection-rules/attachment_fake_attachment_image.yml b/detection-rules/attachment_fake_attachment_image.yml index 7d5a91c7882..7238118bc45 100644 --- a/detection-rules/attachment_fake_attachment_image.yml +++ b/detection-rules/attachment_fake_attachment_image.yml @@ -15,10 +15,10 @@ source: | .name in~ ("financial", "urgency") ) ) - ) - or any(attachments, - .file_type in $file_types_images - and any(ml.logo_detect(.).brands, .name == "FakeAttachment") + and any(attachments, + .file_type in $file_types_images + and any(ml.logo_detect(.).brands, .name == "FakeAttachment") + ) ) // fake file attachment preview in attached EML or any(attachments, From 965238c9fd27b4ad4b30e328c22fe09c0105ac69 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 12 Dec 2023 16:56:54 -0500 Subject: [PATCH 28/28] =?UTF-8?q?Update=20and=20rename=20body=5Fmicrosoft?= =?UTF-8?q?=5Flogo=5Fbing=5Fredirect.yml=20to=20body=5Fmicro=E2=80=A6=20(#?= =?UTF-8?q?1078)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...ct.yml => body_microsoft_logo_open_redirect.yml} | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) rename detection-rules/{body_microsoft_logo_bing_redirect.yml => body_microsoft_logo_open_redirect.yml} (92%) diff --git a/detection-rules/body_microsoft_logo_bing_redirect.yml b/detection-rules/body_microsoft_logo_open_redirect.yml similarity index 92% rename from detection-rules/body_microsoft_logo_bing_redirect.yml rename to detection-rules/body_microsoft_logo_open_redirect.yml index 0e1617419ce..4fe338cb1ef 100644 --- a/detection-rules/body_microsoft_logo_bing_redirect.yml +++ b/detection-rules/body_microsoft_logo_open_redirect.yml @@ -1,11 +1,11 @@ -name: "Body: Microsoft logo or Suspicious Language and Bing open redirect" +name: "Body: Microsoft logo or Suspicious Language and an open redirect" description: | Email contains a Microsoft logo or suspicious terms and use of the Bing open redirect. This has been exploited in the wild to impersonate Microsoft. type: "rule" severity: "high" source: | type.inbound - + // Microsoft logo and ( any(attachments, @@ -42,9 +42,11 @@ source: | ) ) ) - - // Bing redirect - and any(body.links, .href_url.domain.root_domain == 'bing.com' and .href_url.path =~ '/ck/a') + + // open redirect + and any(body.links, + any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect")) + ) and sender.email.domain.root_domain not in $org_domains and sender.email.domain.root_domain not in ( "bing.com", @@ -57,6 +59,7 @@ source: | "sharepointonline.com", "yammer.com" ) + attack_types: - "BEC/Fraud" tactics_and_techniques: