diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml index 66d917790b3..514b82554c1 100644 --- a/detection-rules/attachment_docusign_image_suspicious_links.yml +++ b/detection-rules/attachment_docusign_image_suspicious_links.yml @@ -1,7 +1,7 @@ name: "Attachment: DocuSign image lure with no DocuSign domains in links" description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo attached, from a first-time sender." type: "rule" -severity: "medium" +severity: "high" source: | type.inbound and length(filter(attachments, .file_type not in $file_types_images)) == 0 diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml index 6846c8ffb71..893ce305af0 100644 --- a/detection-rules/attachment_microsoft_image_lure_qr_code.yml +++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml @@ -2,7 +2,7 @@ name: "Brand impersonation: Microsoft (QR code)" description: | Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads. type: "rule" -severity: "medium" +severity: "high" source: | type.inbound and ( diff --git a/detection-rules/attachment_office365_image.yml b/detection-rules/attachment_office365_image.yml index 7a6de0ff984..012788a6b7a 100644 --- a/detection-rules/attachment_office365_image.yml +++ b/detection-rules/attachment_office365_image.yml @@ -2,7 +2,7 @@ name: "Attachment: Office365 image (unsolicited)" description: | Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords. type: "rule" -severity: "medium" +severity: "high" source: | type.inbound and length(filter(attachments, .file_type not in $file_types_images)) == 0