Sync from PR#668

New rule: Microsoft SCL very high and message not in spam folder by @morriscode #668 Source SHA 897f803 Triggered by @morriscode
sublime-security · Aug 17, 2023 · 1ebf8cb · 1ebf8cb
1 parent 894cfd7
commit 1ebf8cb
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/detection-rules/spam_high_microsoft_scl_not_in_spam_folder.yml b/detection-rules/spam_high_microsoft_scl_not_in_spam_folder.yml
@@ -0,0 +1,32 @@
+name: "Microsoft Spam Confidence Level (SCL) very high and message not in spam folder"
+description: |
+  This rule identifies messages with a Microsoft Spam Confidence Level (SCL) of 8 or 9, indicating a high likelihood of being unwanted. The rule flags these messages when they are not found in the user's spam folder, highlighting a potential risk of malicious or unwanted content.
+references:
+  - "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-spam-confidence-level-scl-about"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(headers.hops,
+          any(.fields, strings.ilike(.name, "X-ms-exchange-organization-scl")
+          and .value in ("8", "9"))
+  )
+  and external.spam is null
+  and (
+    (
+      sender.email.domain.root_domain in $free_email_providers
+      and sender.email.email not in $sender_emails
+    )
+    or (
+      sender.email.domain.root_domain not in $free_email_providers
+      and sender.email.domain.domain not in $sender_domains
+    )
+  )
+attack_types:
+  - "Spam"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+id: "801a5470-0498-55ba-a590-4cb105038e95"
+testing_pr: 668
+testing_sha: 897f803a6ea18aa7536aca9b68fa6441f6e9abf5