Merge branch 'main' into morriscode-gitgudnoob

sublime-security · Sep 8, 2023 · 238d655 · 238d655
2 parents c69b291 + 0465b64
commit 238d655
Show file tree

Hide file tree

Showing 12 changed files with 187 additions and 41 deletions.
diff --git a/detection-rules/attachment_credential_phishing_image_as_content.yml b/detection-rules/attachment_credential_phishing_image_as_content.yml
@@ -0,0 +1,59 @@
+name: "Credential Phishing: Image as content, short or no body contents"
+description: |
+  This rule identifies incoming messages with minimal links, all image attachments and either empty, brief
+  or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition
+  to high-confidence credit theft intentions.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(body.links) < 2
+  and 0 < (length(attachments)) < 3
+  and (
+    // body text is very short
+    (
+      0 <= (length(body.current_thread.text)) < 10 or body.current_thread.text is null
+    )
+    or (
+      length(body.current_thread.text) < 900
+      // or body is most likely all warning banner (text contains the sender and common warning banner language)
+      and (
+        (
+          strings.contains(body.current_thread.text, sender.email.email)
+          and strings.contains(body.current_thread.text, 'caution')
+        )
+        or regex.icontains(body.current_thread.text,
+                           "intended recipient's use only|external email|sent from outside|you don't often"
+        )
+      )
+    )
+  )
+  and (
+    all(attachments,
+        (.file_type in $file_types_images)
+        and (
+          any(file.explode(.),
+              any(.scan.exiftool.fields, .value == "Truncated PNG image")
+              or (
+                any(ml.logo_detect(..).brands, .name is not null)
+                and any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                        .name == "cred_theft" and .confidence == "high"
+                )
+              )
+          )
+        )
+    )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Image as content"
+detection_methods:
+  - "Computer Vision"
+  - "Content analysis"
+  - "File analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+id: "01313f38-d0d1-5240-b407-8f9158639277"
diff --git a/detection-rules/attachment_html_smuggling_atob.yml b/detection-rules/attachment_html_smuggling_atob.yml
@@ -8,8 +8,7 @@ severity: "high"
 source: |
   type.inbound
   and any(attachments,
-          .size <= 60000
-          and (
+          (
             .file_extension in~ ("html", "htm", "shtml", "dhtml")
             or .file_extension in~ $file_extensions_common_archives
             or .file_type == "html"

diff --git a/detection-rules/attachment_html_smuggling_line_break_obfuscation.yml b/detection-rules/attachment_html_smuggling_line_break_obfuscation.yml
@@ -0,0 +1,36 @@
+name: "Attachment: HTML smuggling with excessive line break obfuscation"
+description: |
+  Credential Phishing attacks have been observed using excessive line breaks to obfuscate javascript functions within html files.
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ ("html", "htm", "shtml", "dhtml")
+            or .file_extension in~ $file_extensions_common_archives
+            or .file_type == "html"
+          )
+          and any(file.explode(.),
+                  any(.scan.strings.strings,
+                  // return new line padded obfuscation 
+                      regex.contains(., '(\\r\\n\S{2}){50,}')
+                      and strings.contains(., 'decodeURIComponent')
+                  )
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Encryption"
+  - "Evasion"
+  - "HTML smuggling"
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "Content analysis"
+  - "File analysis"
+  - "HTML analysis"
+  - "Javascript analysis"
+id: "7e901440-5751-5d94-8b2d-47eb3c0e2b9d"
diff --git a/detection-rules/body_extortion.yml b/detection-rules/body_extortion.yml
@@ -7,9 +7,11 @@ type: "rule"
 severity: "low"
 source: |
   type.inbound
-  and any([body.html.display_text, body.plain.raw],
-          any(ml.nlu_classifier(.).intents, .name == "extortion" and .confidence == "high")
-          and (any(ml.nlu_classifier(.).entities, .name == "financial"))
+  and (
+  any(ml.nlu_classifier(body.current_thread.text).intents,
+      .name == "extortion" and .confidence == "high"
+  )
+  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial")
   )
   and (
     (

diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
@@ -15,7 +15,9 @@ source: |
         )
     )
     or any(ml.nlu_classifier(body.current_thread.text).intents,
-           .name in ("callback_scam") and .confidence == "high"
+           .name in ("callback_scam")
+           and .confidence == "high"
+           and length(body.current_thread.text) < 1500
     )
   )
   and not (

diff --git a/detection-rules/file_sharing_link_suspicious_subject.yml b/detection-rules/file_sharing_link_suspicious_subject.yml
@@ -16,6 +16,7 @@ source: |
     )
   )
   and regex.icontains(subject.subject, 'immediately', 'urgent')
+  and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
   and (
     (
       sender.email.domain.root_domain in $free_email_providers

diff --git a/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml b/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml
@@ -5,7 +5,7 @@ severity: "medium"
 source: |
   type.inbound
   and any(ml.nlu_classifier(body.current_thread.text).intents,
-          .name in ("bec") and .confidence in ("medium", "high")
+          .name in ("bec") and .confidence == "high"
   )
   and (
     headers.return_path.domain.root_domain in $free_email_providers
@@ -21,6 +21,24 @@ source: |
     )
   )
   and sender.email.domain.root_domain not in $free_email_providers
+  
+  // negate gmail autoforwards and null return paths
+  and (
+    headers.return_path.email is null
+    or not any([headers.return_path.email], strings.ilike(headers.return_path.local_part, "*+caf_=*"))
+  )
+  
+  // negate listservs
+  and not (
+    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
+    and strings.contains(sender.display_name, "via")
+  )
+  
+  // negate legit replies
+  and not (
+    length(headers.references) > 0
+    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+  )
 attack_types:
   - "BEC/Fraud"
 tactics_and_techniques:

diff --git a/detection-rules/link_credential_phishing_secure_message.yml b/detection-rules/link_credential_phishing_secure_message.yml
@@ -25,7 +25,6 @@ source: |
     sender.email.domain.root_domain not in ("protectedtrust.com")
     and any(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
-            and length(.href_url.path) > 20
     )
   )
 

diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml
@@ -7,20 +7,16 @@ severity: "medium"
 source: |
   type.inbound
   and length(body.links) > 0
-
+  
   // voicemail related
   and (
-    regex.icontains(coalesce(body.html.inner_text, body.html.display_text),
-                    'voice\s?(mail|message|recording|call)'
-    )
+    regex.icontains(body.current_thread.text, 'voice\s?(mail|message|recording|call)')
     or (regex.icontains(subject.subject, 'voice\s?(mail|message|recording|call)'))
   )
   and 2 of (
     (
-      any([body.plain.raw, body.html.inner_text],
-          any(ml.nlu_classifier(.).intents,
-              .name in ("cred_theft") and .confidence in ("medium", "high")
-          )
+      any(ml.nlu_classifier(body.current_thread.text).intents,
+          .name in ("cred_theft") and .confidence in ("medium", "high")
       )
     ),
     (regex.icontains(sender.display_name, 'voice\s?(mail|message|recording|call)')),
@@ -29,14 +25,15 @@ source: |
       all(body.links,
           .href_url.domain.root_domain != sender.email.domain.root_domain
           and .href_url.domain.root_domain not in $org_domains
+          and .href_url.domain.root_domain not in ("unitelvoice.com", "googleapis.com", "dialmycalls.com")
       )
     ),
     (
       // recipient's SLD is in the sender's display name
       any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld))
     ),
   )
-  and sender.email.domain.root_domain not in ("magicjack.com")
+  and sender.email.domain.root_domain not in ("magicjack.com", "unitelvoice.com")
   and (
     (
       sender.email.domain.root_domain in $free_email_providers

diff --git a/...ink_fake_thread_nlu_financial_request.yml → ...ink_fake_thread_nlu_financial_request.yml b/...ink_fake_thread_nlu_financial_request.yml → ...ink_fake_thread_nlu_financial_request.yml
@@ -4,16 +4,16 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-
+  and length(body.links) < 10
   // suspicious link
   and any(body.links,
           .href_url.domain.root_domain not in $tranco_1m
           and .href_url.domain.domain not in $umbrella_1m
   )
-
+  
   // fake thread check
   and (strings.istarts_with(subject.subject, "RE:") or strings.istarts_with(subject.subject, "FWD:"))
-
+  
   // Check for the Presence of References or In-Reply-To properties
   and (
     (length(headers.references) == 0 and headers.in_reply_to is null)
@@ -22,45 +22,53 @@ source: |
       and not any(headers.hops, strings.ilike(.signature.headers, "*:reply-to"))
     )
   )
-
+  
   // sender's domain is not in body, and body has > 0 links
   and length(body.links) > 0
   and sender.email.domain.root_domain not in $free_email_providers
   and not any(body.links, .href_url.domain.root_domain == sender.email.domain.root_domain)
-
+  
   // unusual sender (email address rarely sends to your organization)
   and sender.email.email not in $sender_emails
-
+  
   // unusual sender domain (domain rarely sends to your organization)
   and sender.email.domain.domain not in $sender_domains
-
-  // sender SLD matches no body SLDs
-  and all(body.links, .href_url.domain.sld != sender.email.domain.sld)
-
-  and 2 of (
+  and 4 of (
     // language attempting to engage
-    any(ml.nlu_classifier(body.html.inner_text).entities, .name == "request"),
-
-    // financial request
-    any(ml.nlu_classifier(body.html.inner_text).entities, .name == "financial"),
-
+    (
+      any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
+      and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial")
+    ),
+  
+    // invoicing language
+    any(ml.nlu_classifier(body.current_thread.text).tags, .name == "invoice"),
+  
     // urgency request
-    any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency"),
-
+    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"),
+  
     // cred_theft detection
-    any(ml.nlu_classifier(body.html.inner_text).intents,
+    any(ml.nlu_classifier(body.current_thread.text).intents,
         .name == "cred_theft" and .confidence in~ ("medium", "high")
     ),
-
+  
     // commonly abused sender TLD
     strings.ilike(sender.email.domain.tld, "*.jp"),
-
+  
+    // headers traverse abused TLD
+    any(headers.domains, strings.ilike(.tld, "*.jp")),
+  
     // known suspicious pattern in the URL path
     any(body.links, regex.match(.href_url.path, '\/[a-z]{3}\d[a-z]')),
-
+  
     // link display text is in all caps
     any(body.links, regex.match(.display_text, '[A-Z ]+')),
-
+  
+    // display name contains an email
+    regex.contains(sender.display_name, '[a-z0-9]+@[a-z]+'),
+  
+    // Sender domain is empty
+    sender.email.domain.domain == "",
+  
     // sender domain matches no body domains
     all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain),
   )

diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml
@@ -15,6 +15,12 @@ source: |
 
             // mass mailer link, masks the actual URL
             .href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net")
+
+            // Google AMP redirect
+            or (
+            .href_url.domain.sld == "google"
+            and strings.starts_with(.href_url.path, "/amp/")
+            )
           )
 
           // exclude sources of potential FPs
@@ -114,7 +120,6 @@ source: |
       )
     )
   )
-  and sender.email.domain.root_domain not in $org_domains
   and sender.email.domain.root_domain not in (
     "bing.com",
     "microsoft.com",

diff --git a/detection-rules/open_redirect_usapdc.yml b/detection-rules/open_redirect_usapdc.yml
@@ -0,0 +1,20 @@
+name: "Open redirect: U.S. Antarctic Program Data Center (USAP-DC)"
+description: |
+   Message contains use of the U.S. Antarctic Program Data Center (USAP-DC) open redirect.
+type: "rule"
+severity: "medium"
+source: |
+    type.inbound
+    and any(body.links,
+            .href_url.domain.root_domain == "usap-dc.org"
+            and .href_url.path =~ "/tracker"
+            and strings.starts_with(.href_url.query_params, "type=dataset&url=http")
+    )
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Open redirect"
+detection_methods:
+  - "URL analysis"
+id: "c499d041-1e95-52a5-bc7e-857376e1a873"
-Original file line number
+Diff line change
@@ Expand Up / @@ -16,6 +16,7 @@ source: | @@
         )
       )
       and regex.icontains(subject.subject, 'immediately', 'urgent')
+      and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
       and (
         (
           sender.email.domain.root_domain in $free_email_providers
@@ Expand Down @@