From 09ac100beed899e665f4f48701df7431a5f19958 Mon Sep 17 00:00:00 2001 From: Bobby Filar <29960025+bfilar@users.noreply.github.com> Date: Wed, 6 Sep 2023 10:44:33 -0500 Subject: [PATCH 01/15] Moving NLU logic for Extortion rule to current_thread (#774) Co-authored-by: Sam Scholten --- detection-rules/body_extortion.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/detection-rules/body_extortion.yml b/detection-rules/body_extortion.yml index cc50246b050..3beca403221 100644 --- a/detection-rules/body_extortion.yml +++ b/detection-rules/body_extortion.yml @@ -7,9 +7,11 @@ type: "rule" severity: "low" source: | type.inbound - and any([body.html.display_text, body.plain.raw], - any(ml.nlu_classifier(.).intents, .name == "extortion" and .confidence == "high") - and (any(ml.nlu_classifier(.).entities, .name == "financial")) + and ( + any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "extortion" and .confidence == "high" + ) + and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial") ) and ( ( From c5735a5b170c4df62f4edb98cd3f388c29099d47 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Wed, 6 Sep 2023 10:18:41 -0700 Subject: [PATCH 02/15] Updating Rule: link_credential_phishing_voicemail_language.yml (#769) Co-authored-by: Sam Scholten --- .../link_credential_phishing_voicemail_language.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml index c5416581259..64cb640ab20 100644 --- a/detection-rules/link_credential_phishing_voicemail_language.yml +++ b/detection-rules/link_credential_phishing_voicemail_language.yml @@ -29,6 +29,7 @@ source: | all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain and .href_url.domain.root_domain not in $org_domains + and .href_url.domain.root_domain not in ("unitelvoice.com", "googleapis.com") ) ), ( @@ -36,7 +37,7 @@ source: | any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld)) ), ) - and sender.email.domain.root_domain not in ("magicjack.com") + and sender.email.domain.root_domain not in ("magicjack.com", "unitelvoice.com") and ( ( sender.email.domain.root_domain in $free_email_providers From 9850917aed97764602c53cdeb93fe2237eb96c31 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 7 Sep 2023 12:06:20 -0400 Subject: [PATCH 03/15] Regression Tuning: link_fake_thread_nlu_financial_request.yml (#776) --- ...link_fake_thread_nlu_financial_request.yml | 54 +++++++++++-------- 1 file changed, 31 insertions(+), 23 deletions(-) rename {discovery-rules => detection-rules}/link_fake_thread_nlu_financial_request.yml (74%) diff --git a/discovery-rules/link_fake_thread_nlu_financial_request.yml b/detection-rules/link_fake_thread_nlu_financial_request.yml similarity index 74% rename from discovery-rules/link_fake_thread_nlu_financial_request.yml rename to detection-rules/link_fake_thread_nlu_financial_request.yml index fb3205622b0..6531d54e6b2 100644 --- a/discovery-rules/link_fake_thread_nlu_financial_request.yml +++ b/detection-rules/link_fake_thread_nlu_financial_request.yml @@ -4,16 +4,16 @@ type: "rule" severity: "medium" source: | type.inbound - + and length(body.links) < 10 // suspicious link and any(body.links, .href_url.domain.root_domain not in $tranco_1m and .href_url.domain.domain not in $umbrella_1m ) - + // fake thread check and (strings.istarts_with(subject.subject, "RE:") or strings.istarts_with(subject.subject, "FWD:")) - + // Check for the Presence of References or In-Reply-To properties and ( (length(headers.references) == 0 and headers.in_reply_to is null) @@ -22,45 +22,53 @@ source: | and not any(headers.hops, strings.ilike(.signature.headers, "*:reply-to")) ) ) - + // sender's domain is not in body, and body has > 0 links and length(body.links) > 0 and sender.email.domain.root_domain not in $free_email_providers and not any(body.links, .href_url.domain.root_domain == sender.email.domain.root_domain) - + // unusual sender (email address rarely sends to your organization) and sender.email.email not in $sender_emails - + // unusual sender domain (domain rarely sends to your organization) and sender.email.domain.domain not in $sender_domains - - // sender SLD matches no body SLDs - and all(body.links, .href_url.domain.sld != sender.email.domain.sld) - - and 2 of ( + and 4 of ( // language attempting to engage - any(ml.nlu_classifier(body.html.inner_text).entities, .name == "request"), - - // financial request - any(ml.nlu_classifier(body.html.inner_text).entities, .name == "financial"), - + ( + any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request") + and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial") + ), + + // invoicing language + any(ml.nlu_classifier(body.current_thread.text).tags, .name == "invoice"), + // urgency request - any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency"), - + any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency"), + // cred_theft detection - any(ml.nlu_classifier(body.html.inner_text).intents, + any(ml.nlu_classifier(body.current_thread.text).intents, .name == "cred_theft" and .confidence in~ ("medium", "high") ), - + // commonly abused sender TLD strings.ilike(sender.email.domain.tld, "*.jp"), - + + // headers traverse abused TLD + any(headers.domains, strings.ilike(.tld, "*.jp")), + // known suspicious pattern in the URL path any(body.links, regex.match(.href_url.path, '\/[a-z]{3}\d[a-z]')), - + // link display text is in all caps any(body.links, regex.match(.display_text, '[A-Z ]+')), - + + // display name contains an email + regex.contains(sender.display_name, '[a-z0-9]+@[a-z]+'), + + // Sender domain is empty + sender.email.domain.domain == "", + // sender domain matches no body domains all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain), ) From e9b0f6baa97779fae6cb6b97680c6788f54376c0 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 7 Sep 2023 09:34:45 -0700 Subject: [PATCH 04/15] Updating Rule: link_credential_phishing_voicemail_language.yml (#768) Co-authored-by: Sam Scholten --- .../link_credential_phishing_voicemail_language.yml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml index 64cb640ab20..4a339606ac6 100644 --- a/detection-rules/link_credential_phishing_voicemail_language.yml +++ b/detection-rules/link_credential_phishing_voicemail_language.yml @@ -7,20 +7,16 @@ severity: "medium" source: | type.inbound and length(body.links) > 0 - + // voicemail related and ( - regex.icontains(coalesce(body.html.inner_text, body.html.display_text), - 'voice\s?(mail|message|recording|call)' - ) + regex.icontains(body.current_thread.text, 'voice\s?(mail|message|recording|call)') or (regex.icontains(subject.subject, 'voice\s?(mail|message|recording|call)')) ) and 2 of ( ( - any([body.plain.raw, body.html.inner_text], - any(ml.nlu_classifier(.).intents, - .name in ("cred_theft") and .confidence in ("medium", "high") - ) + any(ml.nlu_classifier(body.current_thread.text).intents, + .name in ("cred_theft") and .confidence in ("medium", "high") ) ), (regex.icontains(sender.display_name, 'voice\s?(mail|message|recording|call)')), From 7d99af9937ba2d93d15ff19d210fbf08d100c341 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 7 Sep 2023 09:45:48 -0700 Subject: [PATCH 05/15] Updating Rule: file_sharing_link_suspicious_subject.yml (#770) Co-authored-by: Sam Scholten --- detection-rules/file_sharing_link_suspicious_subject.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/file_sharing_link_suspicious_subject.yml b/detection-rules/file_sharing_link_suspicious_subject.yml index dd8b13cf541..88d8b23f04c 100644 --- a/detection-rules/file_sharing_link_suspicious_subject.yml +++ b/detection-rules/file_sharing_link_suspicious_subject.yml @@ -16,6 +16,7 @@ source: | ) ) and regex.icontains(subject.subject, 'immediately', 'urgent') + and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign") and ( ( sender.email.domain.root_domain in $free_email_providers From 0fa53e5afe3c1ad60170ca8ae0ec6b3c75848c05 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 7 Sep 2023 11:12:42 -0700 Subject: [PATCH 06/15] Regression fix: link_credential_phishing_secure_message.yml (#773) Co-authored-by: Sam Scholten --- detection-rules/link_credential_phishing_secure_message.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detection-rules/link_credential_phishing_secure_message.yml b/detection-rules/link_credential_phishing_secure_message.yml index 3944a305c09..4cf9ed06d0b 100644 --- a/detection-rules/link_credential_phishing_secure_message.yml +++ b/detection-rules/link_credential_phishing_secure_message.yml @@ -25,7 +25,6 @@ source: | sender.email.domain.root_domain not in ("protectedtrust.com") and any(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain - and length(.href_url.path) > 20 ) ) From 9b017530dcf9b6546d493851b02ac77b6852371e Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 7 Sep 2023 20:41:10 -0400 Subject: [PATCH 07/15] New Rule: HTML smuggling with line break obfuscation (#777) Co-authored-by: ID Generator Co-authored-by: Bobby Filar <29960025+bfilar@users.noreply.github.com> --- ..._html_smuggling_line_break_obfuscation.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 detection-rules/attachment_html_smuggling_line_break_obfuscation.yml diff --git a/detection-rules/attachment_html_smuggling_line_break_obfuscation.yml b/detection-rules/attachment_html_smuggling_line_break_obfuscation.yml new file mode 100644 index 00000000000..dbd960a22f1 --- /dev/null +++ b/detection-rules/attachment_html_smuggling_line_break_obfuscation.yml @@ -0,0 +1,36 @@ +name: "Attachment: HTML smuggling with excessive line break obfuscation" +description: | + Credential Phishing attacks have been observed using excessive line breaks to obfuscate javascript functions within html files. +type: "rule" +severity: "high" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ ("html", "htm", "shtml", "dhtml") + or .file_extension in~ $file_extensions_common_archives + or .file_type == "html" + ) + and any(file.explode(.), + any(.scan.strings.strings, + // return new line padded obfuscation + regex.contains(., '(\\r\\n\S{2}){50,}') + and strings.contains(., 'decodeURIComponent') + ) + ) + ) +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Encryption" + - "Evasion" + - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" + - "Javascript analysis" +id: "7e901440-5751-5d94-8b2d-47eb3c0e2b9d" From 71c2e1777f7a89c2d6bc1389db8a431c3c8a8680 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 7 Sep 2023 22:46:12 -0400 Subject: [PATCH 08/15] FP: headers_freemail_replyto_returnpath_mismatch.yml (#780) --- .../headers_freemail_replyto_returnpath_mismatch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml b/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml index c0360a0682b..f571dc6e0d8 100644 --- a/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml +++ b/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml @@ -5,7 +5,7 @@ severity: "medium" source: | type.inbound and any(ml.nlu_classifier(body.current_thread.text).intents, - .name in ("bec") and .confidence in ("medium", "high") + .name in ("bec") and .confidence == "high" ) and ( headers.return_path.domain.root_domain in $free_email_providers From 0722e4f7c9734b203a6eddf4965f3aa6d6a7e397 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 7 Sep 2023 22:47:09 -0400 Subject: [PATCH 09/15] New Rule: Open redirect: U.S. Antarctic Program Data Center (USAP-DC) (#779) Co-authored-by: ID Generator --- detection-rules/open_redirect_usapdc.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 detection-rules/open_redirect_usapdc.yml diff --git a/detection-rules/open_redirect_usapdc.yml b/detection-rules/open_redirect_usapdc.yml new file mode 100644 index 00000000000..92b69306be2 --- /dev/null +++ b/detection-rules/open_redirect_usapdc.yml @@ -0,0 +1,20 @@ +name: "Open redirect: U.S. Antarctic Program Data Center (USAP-DC)" +description: | + Message contains use of the U.S. Antarctic Program Data Center (USAP-DC) open redirect. +type: "rule" +severity: "medium" +source: | + type.inbound + and any(body.links, + .href_url.domain.root_domain == "usap-dc.org" + and .href_url.path =~ "/tracker" + and strings.starts_with(.href_url.query_params, "type=dataset&url=http") + ) +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Open redirect" +detection_methods: + - "URL analysis" +id: "c499d041-1e95-52a5-bc7e-857376e1a873" From 40e65686359c88006af815e8c0a1dbba4dabd370 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 7 Sep 2023 19:50:52 -0700 Subject: [PATCH 10/15] Updating Rule: link_microsoft_low_reputation.yml (#759) Co-authored-by: Sam Scholten --- detection-rules/link_microsoft_low_reputation.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml index 31c5b22c5f9..3579bb944e5 100644 --- a/detection-rules/link_microsoft_low_reputation.yml +++ b/detection-rules/link_microsoft_low_reputation.yml @@ -15,6 +15,12 @@ source: | // mass mailer link, masks the actual URL .href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net") + + // Google AMP redirect + or ( + .href_url.domain.sld == "google" + and strings.starts_with(.href_url.path, "/amp/") + ) ) // exclude sources of potential FPs @@ -114,7 +120,6 @@ source: | ) ) ) - and sender.email.domain.root_domain not in $org_domains and sender.email.domain.root_domain not in ( "bing.com", "microsoft.com", From 8d422b667a601543897948f68ae5e444c9a7d704 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 8 Sep 2023 10:06:21 -0400 Subject: [PATCH 11/15] New Rule: Credential Phishing: Image as content, short or no body contents (#771) Co-authored-by: ID Generator --- ...t_credential_phishing_image_as_content.yml | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 detection-rules/attachment_credential_phishing_image_as_content.yml diff --git a/detection-rules/attachment_credential_phishing_image_as_content.yml b/detection-rules/attachment_credential_phishing_image_as_content.yml new file mode 100644 index 00000000000..dc9b0a60fc6 --- /dev/null +++ b/detection-rules/attachment_credential_phishing_image_as_content.yml @@ -0,0 +1,59 @@ +name: "Credential Phishing: Image as content, short or no body contents" +description: | + This rule identifies incoming messages with minimal links, all image attachments and either empty, brief + or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition + to high-confidence credit theft intentions. +type: "rule" +severity: "medium" +source: | + type.inbound + and length(body.links) < 2 + and 0 < (length(attachments)) < 3 + and ( + // body text is very short + ( + 0 <= (length(body.current_thread.text)) < 10 or body.current_thread.text is null + ) + or ( + length(body.current_thread.text) < 900 + // or body is most likely all warning banner (text contains the sender and common warning banner language) + and ( + ( + strings.contains(body.current_thread.text, sender.email.email) + and strings.contains(body.current_thread.text, 'caution') + ) + or regex.icontains(body.current_thread.text, + "intended recipient's use only|external email|sent from outside|you don't often" + ) + ) + ) + ) + and ( + all(attachments, + (.file_type in $file_types_images) + and ( + any(file.explode(.), + any(.scan.exiftool.fields, .value == "Truncated PNG image") + or ( + any(ml.logo_detect(..).brands, .name is not null) + and any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "cred_theft" and .confidence == "high" + ) + ) + ) + ) + ) + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Image as content" +detection_methods: + - "Computer Vision" + - "Content analysis" + - "File analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Optical Character Recognition" +id: "01313f38-d0d1-5240-b407-8f9158639277" From 20dcebc9db64a0a288a3f72cfef98cc85dbaa700 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 8 Sep 2023 10:07:22 -0400 Subject: [PATCH 12/15] FP negations: headers_freemail_replyto_returnpath_mismatch.yml (#781) --- ...rs_freemail_replyto_returnpath_mismatch.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml b/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml index f571dc6e0d8..d5c5e187a9d 100644 --- a/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml +++ b/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml @@ -21,6 +21,24 @@ source: | ) ) and sender.email.domain.root_domain not in $free_email_providers + + // negate gmail autoforwards and null return paths + and ( + headers.return_path.email is null + or not any([headers.return_path.email], strings.ilike(headers.return_path.local_part, "*+caf_=*")) + ) + + // negate listservs + and not ( + any(headers.hops, any(.fields, .name == "List-Unsubscribe")) + and strings.contains(sender.display_name, "via") + ) + + // negate legit replies + and not ( + length(headers.references) > 0 + or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) attack_types: - "BEC/Fraud" tactics_and_techniques: From db2a2260bb91f0f7e05119622cb17ef78a37e5cf Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 8 Sep 2023 10:09:24 -0400 Subject: [PATCH 13/15] Tune: Update attachment_html_smuggling_atob.yml (#757) Co-authored-by: Bobby Filar <29960025+bfilar@users.noreply.github.com> --- detection-rules/attachment_html_smuggling_atob.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/detection-rules/attachment_html_smuggling_atob.yml b/detection-rules/attachment_html_smuggling_atob.yml index 59851c725a2..8b6182d3672 100644 --- a/detection-rules/attachment_html_smuggling_atob.yml +++ b/detection-rules/attachment_html_smuggling_atob.yml @@ -8,8 +8,7 @@ severity: "high" source: | type.inbound and any(attachments, - .size <= 60000 - and ( + ( .file_extension in~ ("html", "htm", "shtml", "dhtml") or .file_extension in~ $file_extensions_common_archives or .file_type == "html" From 71409e95013155a29ec0461d209ba6dc1647968d Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 8 Sep 2023 14:16:23 -0400 Subject: [PATCH 14/15] FP Negation: link_credential_phishing_voicemail_language.yml (#783) --- detection-rules/link_credential_phishing_voicemail_language.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml index 4a339606ac6..0df96e25fe3 100644 --- a/detection-rules/link_credential_phishing_voicemail_language.yml +++ b/detection-rules/link_credential_phishing_voicemail_language.yml @@ -25,7 +25,7 @@ source: | all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain and .href_url.domain.root_domain not in $org_domains - and .href_url.domain.root_domain not in ("unitelvoice.com", "googleapis.com") + and .href_url.domain.root_domain not in ("unitelvoice.com", "googleapis.com", "dialmycalls.com") ) ), ( From 0465b64954bdfe4808c38d837edbfe88187eb19d Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 8 Sep 2023 14:19:27 -0400 Subject: [PATCH 15/15] FP/FN Negation: callback_phishing_nlu_body_or_attachments.yml (#750) --- detection-rules/callback_phishing_nlu_body_or_attachments.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml index d45d5fa596f..2eaa5c00728 100644 --- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml +++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml @@ -15,7 +15,9 @@ source: | ) ) or any(ml.nlu_classifier(body.current_thread.text).intents, - .name in ("callback_scam") and .confidence == "high" + .name in ("callback_scam") + and .confidence == "high" + and length(body.current_thread.text) < 1500 ) ) and not (