Merge branch 'main' into sam.penpal.fraud

detection-rules/attachment_any_html_new_sender.yml

@@ -12,7 +12,10 @@ source: |
   type.inbound
   and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html")
   and (
-    profile.by_sender().prevalence in ("new", "outlier")
+    (
+      profile.by_sender().prevalence in ("new", "outlier")
+      and not profile.by_sender().solicited
+    )
     or profile.by_sender().any_messages_malicious_or_spam
   )
   and not profile.by_sender().any_false_positives

detection-rules/attachment_eml_cred_theft.yml

@@ -1,36 +1,61 @@
 name: "Attachment: EML with link to credential phishing page"
 description: |
-  Attached EML links to a credential phishing site.
+  Attached EML links to a credential phishing site or exhibits unusual behavior such as multiple suspicious redirects.
 type: "rule"
 severity: "medium"
 source: |
   type.inbound
   and length(attachments) == 1
   and any(attachments,
-          .content_type == "message/rfc822"
-          and (
-            any(file.explode(.),
-                any(.scan.url.urls,
-                    (
-                      (
-                        .domain.root_domain in $free_subdomain_hosts
-                        or .domain.root_domain in ("sharepoint.com")
-                        or .domain.root_domain not in $tranco_1m
-                      )
-                      and beta.linkanalysis(.).credphish.disposition == "phishing"
-                    )
-                    // or any links in the final dom lead to a suspicious tld
-                    or any(beta.linkanalysis(.).final_dom.links,
-                           beta.linkanalysis(.href_url).effective_url.domain.tld in $suspicious_tlds
+          (.content_type == "message/rfc822" or .file_extension =~ "eml")
+          and any(file.parse_eml(.).body.links,
+                  (
+                    beta.linkanalysis(., mode="aggressive").credphish.disposition == "phishing"
+                    and beta.linkanalysis(., mode="aggressive").credphish.confidence in (
+                      "medium",
+                      "high"
                     )
-                )
+                  )
+
+                  // or any links in the final dom lead to a suspicious tld
+                  or any(beta.linkanalysis(.).final_dom.links,
+                         .href_url.domain.tld in $suspicious_tlds
+                         or beta.linkanalysis(.href_url).effective_url.domain.tld in $suspicious_tlds
+                  )
+
+                  // link redirects to a suspicious TLD
+                  or any(beta.linkanalysis(., mode="aggressive").redirect_history,
+                         .domain.tld in $suspicious_tlds
+                  )
+                  or (
+                    // suspicious redirects
+                    // 3 or more different domains with 2 or more different TLDs
+                    // careful because click trackers will always make this at least 2
+                    // different domains and not unlikely 2 or more TLDs
+                    length(distinct(map(beta.linkanalysis(., mode="aggressive").redirect_history,
+                                        .domain.tld
+                                    )
+                           )
+                    ) >= 2
+                    and length(distinct(map(beta.linkanalysis(.,
+                                                              mode="aggressive"
+                                            ).redirect_history,
+                                            .domain.domain
+                                        )
+                               )
+                    ) >= 3
+                  )
+          )
+          // engaging language in the original body or EML
+          and (
+            any(ml.nlu_classifier(body.html.display_text).entities,
+                .name == "request"
+            )
+            or any(ml.nlu_classifier(file.parse_eml(.).body.html.display_text).entities,
+                   .name == "request"
             )
           )
   )
-  
-  // engaging language in the original body
-  and any(ml.nlu_classifier(body.html.display_text).entities, .name == "request")
-  
   // exclude bounce backs & read receipts
   and not strings.like(sender.email.local_part,
                        "*postmaster*",
@@ -48,6 +73,7 @@ source: |
       and not profile.by_sender().any_false_positives
     )
   )
+  and not profile.by_sender().any_false_positives
 
 attack_types:
   - "Credential Phishing"

detection-rules/attachment_office_suspicious_functions.yml

@@ -0,0 +1,41 @@
+name: "Attachment: Office file with suspicious function calls or downloaded file path"
+description: "Attached Office file contains suspicious function calls or known malicious file path pattern."
+references:
+  - "https://app.docguard.io/c3e75d7a32a4959724f24c1004724951482cd732db7d287989c873c09166ff95/c3036de5-89b1-49c6-9681-706f5b9af264/0/results/dashboard"
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            // office files
+            .file_extension in~ $file_extensions_macros
+            or .file_extension in~ $file_extensions_common_archives
+            or (
+              .file_extension is null
+              and .file_type == "unknown"
+              and .content_type == "application/octet-stream"
+              and .size < 100000
+            )
+          )
+          and (
+            any(file.explode(.),
+                (
+                  any(.scan.strings.strings, strings.ilike(., '*URLDownloadToFile*'))
+                  and any(.scan.strings.strings, strings.ilike(., '*Auto_Open*'))
+                )
+                or any(.scan.strings.strings,
+                       regex.icontains(., 'C:\\[A-Za-z]{7}\\[A-Za-z]{7}\\[A-Za-z]{7}')
+                )
+            )
+          )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+id: "4c78b969-9df8-59e1-8f65-43afdb06c817"

detection-rules/credential_phishing_docusign_embedded_image_lure.yml

@@ -0,0 +1,53 @@
+name: "Credential Phishing: DocuSign embedded image lure with no DocuSign domains in links"
+description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo embedded in the body of the message, from a new sender."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and length(attachments) == 0
+  and any(body.links,
+          not strings.ilike(.href_url.domain.root_domain, "docusign.*")
+  )
+  and (
+    any(ml.logo_detect(beta.message_screenshot()).brands,
+        .name == "DocuSign"
+        or any(file.explode(beta.message_screenshot()),
+               strings.ilike(.scan.ocr.raw, "*DocuSign*")
+               and any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                       .name == "cred_theft" and .confidence != "low"
+               )
+        )
+    )
+  )
+  and any(file.explode(beta.message_screenshot()),
+          regex.icontains(.scan.ocr.raw,
+                          "review document",
+                          "[^d][^o][^c][^u]sign",
+                          "important edocs",
+                          "completed document"
+          )
+  )
+  and (
+    (
+      not profile.by_sender().solicited
+      and profile.by_sender().prevalence in ("new", "outlier")
+    )
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+  
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Content analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+id: "dfe8715e-6318-579b-9131-ddfc9854dc95"

detection-rules/headers_replyto_new_domain_nlu_request.yml

@@ -21,6 +21,13 @@ source: |
            .name is not null and .confidence in ("medium", "high")
     )
   )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
   and not profile.by_sender().any_false_positives
   
 attack_types:

detection-rules/image_as_content_open_redir.yml

@@ -0,0 +1,51 @@
+name: "Image as content linking to an open redirect"
+description: "Body contains little, no, or only disclaimer text, and an image linking to an open redirect."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and length(body.links) < 3
+  and 0 < (length(attachments)) < 3
+  and all(attachments, (.file_type in $file_types_images))
+  and (
+    // body text is very short
+    (
+      0 <= (length(body.current_thread.text)) < 10
+      or body.current_thread.text is null
+    )
+    or (
+      length(body.current_thread.text) < 900
+      // or body is most likely all warning banner (text contains the sender and common warning banner language)
+      and (
+        (
+          strings.contains(body.current_thread.text, sender.email.email)
+          and strings.contains(body.current_thread.text, 'caution')
+        )
+        or regex.icontains(body.current_thread.text,
+                           "intended recipient's use only|external email|sent from outside|you don't often|confidential"
+        )
+      )
+    )
+  )
+  and (
+    any(body.links,
+        any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
+    )
+    or any(body.links,
+           .href_url.domain.root_domain == 'sng.link'
+           and strings.ilike(.href_url.query_params, "*fallback_redirect*")
+    )
+  )
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Image as content"
+  - "Open redirect"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "HTML analysis"
+  - "URL analysis"
+id: "f5cec36b-76ea-5cd6-958b-74f819d73a47"

detection-rules/impersonation_adobe_suspicious_language_link.yml

@@ -0,0 +1,63 @@
+name: "Brand impersonation: Adobe with suspicious language and link"
+description: "Email contains an Adobe logo, at least one link, and suspicious link language from a new sender."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and length(attachments) == 0
+  and length(body.links) > 0
+  and any(ml.logo_detect(beta.message_screenshot()).brands,
+          .name == "Adobe" and .confidence in ("high")
+  )
+  and (
+    any(file.explode(beta.message_screenshot()),
+        strings.ilike(.scan.ocr.raw,
+                      "*review*",
+                      "*sign*",
+                      "*view*",
+                      "*completed document*",
+                      "*open agreement*",
+                      "*open document*"
+        )
+    )
+    or any(body.links,
+           strings.ilike(.display_text,
+                         "*review*",
+                         "*sign*",
+                         "*view*",
+                         "*completed document*",
+                         "*open agreement*",
+                         "*open document*"
+           )
+    )
+  )
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "32cc8bf1-f4d7-549f-a970-eade24b7c6ae"

detection-rules/impersonation_dotloop.yml

@@ -0,0 +1,41 @@
+name: "Brand impersonation: Dotloop"
+description: "Impersonation of Dotloop, a real estate transaction management platform."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    strings.ilike(sender.display_name, '*dotloop*')
+    or strings.ilike(sender.email.domain.domain, '*dotloop*')
+  )
+  and sender.email.domain.root_domain not in~ ('dotloop.com', 'showingtime.com')
+  and (
+    (
+      profile.by_sender().prevalence in ("new", "outlier")
+      and not profile.by_sender().solicited
+    )
+    or profile.by_sender().any_messages_malicious_or_spam
+  )
+  and not profile.by_sender().any_false_positives
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+id: "f997581a-ca08-5b21-8a52-ee0ca78fcea5"

detection-rules/impersonation_human_resources.yml

@@ -12,7 +12,15 @@ source: |
   // Negate common marketing mailers
   and not regex.icontains(sender.display_name, 'HR (Events|Expert)')
   
-  and  (0 < length(body.links) < 10 or length(attachments) > 0)
+  and (
+    (0 < length(body.links) < 10 or length(attachments) > 0)
+    // mass-mailer infra abuse results in an inflated link count due to mailer templates that include links for unsubbing, changing preferences, etc.
+    // loosening the link count check as a result ensures we fire even with these conditions
+    or (
+      any(body.links, strings.ilike(.display_text, "*unsubscribe*", "update your preferences", "add us to your address book"))
+      and 0 < length(body.links) < 15
+    )
+  )
   // Request and Urgency
   and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
   and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")