Skip to content

Commit

Permalink
Update link_microsoft_low_reputation.yml
Browse files Browse the repository at this point in the history
  • Loading branch information
@morriscode
morriscode authored Sep 18, 2023
1 parent 7e437eb commit 3344312
Showing 1 changed file with 127 additions and 125 deletions.
252 changes: 127 additions & 125 deletions detection-rules/link_microsoft_low_reputation.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,135 +4,137 @@ type: "rule"
severity: "medium"
source: |
type.inbound
// suspicious link
and any(body.links,
(
.href_url.domain.root_domain not in $tranco_1m
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.domain in $url_shorteners
or
// mass mailer link, masks the actual URL
.href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net")
// Google AMP redirect
or (.href_url.domain.sld == "google" and strings.starts_with(.href_url.path, "/amp/"))
)
// exclude sources of potential FPs
and (
.href_url.domain.root_domain not in (
"svc.ms",
"sharepoint.com",
"1drv.ms",
"microsoft.com",
"aka.ms",
"msftauthimages.net"
)
or .href_url.domain.root_domain not in $org_domains
)
)
// not a reply
and (
length(headers.references) == 0
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
// Microsoft logo
and (
any(attachments,
.file_type in $file_types_images
and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
)
or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft"))
)
// suspicious content
and (
(
strings.ilike(body.plain.raw,
"*password*",
"*document*",
"*voicemail*",
"*cache*",
"*fax*",
"*storage*",
"*quota*",
"*messages*"
)
and strings.ilike(body.plain.raw,
"*terminated*",
"*review*",
"*expire*",
"*click*",
"*view*",
"*exceed*",
"*clear*",
"*only works*",
"*failed*",
"*deleted*"
)
)
or (
any(attachments,
// suspicious link
and any(body.links,
(
.href_url.domain.root_domain not in $tranco_1m
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.domain in $url_shorteners
or
// mass mailer link, masks the actual URL
.href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net")
// Google AMP redirect
or (.href_url.domain.sld == "google" and strings.starts_with(.href_url.path, "/amp/"))
)
// exclude sources of potential FPs
and (
.href_url.domain.root_domain not in (
"svc.ms",
"sharepoint.com",
"1drv.ms",
"microsoft.com",
"aka.ms",
"msftauthimages.net"
)
or any(body.links, .href_url.domain.domain in $free_file_hosts)
)
)
// not a reply
and (
length(headers.references) == 0
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
// Microsoft logo
and (
any(attachments,
.file_type in $file_types_images
and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
)
or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft"))
)
// suspicious content
and (
(
strings.ilike(body.plain.raw,
"*password*",
"*document*",
"*voicemail*",
"*cache*",
"*fax*",
"*storage*",
"*quota*",
"*messages*"
)
and strings.ilike(body.plain.raw,
"*terminated*",
"*review*",
"*expire*",
"*click*",
"*view*",
"*exceed*",
"*clear*",
"*only works*",
"*failed*",
"*deleted*"
)
)
or (
any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
strings.ilike(.scan.ocr.raw,
"*password*",
"*document*",
"*voicemail*",
"*cache*",
"*fax*",
"*storage*",
"*quota*",
"*messages*"
)
and strings.ilike(.scan.ocr.raw,
"*terminated*",
"*review*",
"*expire*",
"*click*",
"*view*",
"*exceed*",
"*clear*",
"*only works*",
"*failed*",
"*deleted*"
)
)
)
)
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in~ ("medium", "high")
)
or any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
strings.ilike(.scan.ocr.raw,
"*password*",
"*document*",
"*voicemail*",
"*cache*",
"*fax*",
"*storage*",
"*quota*",
"*messages*"
)
and strings.ilike(.scan.ocr.raw,
"*terminated*",
"*review*",
"*expire*",
"*click*",
"*view*",
"*exceed*",
"*clear*",
"*only works*",
"*failed*",
"*deleted*"
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)
)
)
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in~ ("medium", "high")
)
or any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft" and .confidence in ("medium", "high"))
)
)
or (
any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency")
and not any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
)
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com"
)
)
or (
any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency")
and not any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
)
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com"
)
attack_types:
- "Credential Phishing"
Expand Down

0 comments on commit 3344312

Please sign in to comment.