From 29489635d7b0154aa7ba430c97eada4f367cf67a Mon Sep 17 00:00:00 2001 From: Josh Kamdjou Date: Tue, 5 Sep 2023 14:10:01 -0700 Subject: [PATCH] Bump severities to high (#775) --- detection-rules/attachment_docusign_image_suspicious_links.yml | 2 +- detection-rules/attachment_microsoft_image_lure_qr_code.yml | 2 +- detection-rules/attachment_office365_image.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml index 66d917790b3..514b82554c1 100644 --- a/detection-rules/attachment_docusign_image_suspicious_links.yml +++ b/detection-rules/attachment_docusign_image_suspicious_links.yml @@ -1,7 +1,7 @@ name: "Attachment: DocuSign image lure with no DocuSign domains in links" description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo attached, from a first-time sender." type: "rule" -severity: "medium" +severity: "high" source: | type.inbound and length(filter(attachments, .file_type not in $file_types_images)) == 0 diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml index 6846c8ffb71..893ce305af0 100644 --- a/detection-rules/attachment_microsoft_image_lure_qr_code.yml +++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml @@ -2,7 +2,7 @@ name: "Brand impersonation: Microsoft (QR code)" description: | Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads. type: "rule" -severity: "medium" +severity: "high" source: | type.inbound and ( diff --git a/detection-rules/attachment_office365_image.yml b/detection-rules/attachment_office365_image.yml index 7a6de0ff984..012788a6b7a 100644 --- a/detection-rules/attachment_office365_image.yml +++ b/detection-rules/attachment_office365_image.yml @@ -2,7 +2,7 @@ name: "Attachment: Office365 image (unsolicited)" description: | Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords. type: "rule" -severity: "medium" +severity: "high" source: | type.inbound and length(filter(attachments, .file_type not in $file_types_images)) == 0