-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update link_microsoft_low_reputation.yml by @morriscode #908 Source SHA 158fc62 Triggered by @jkamdjou
- Loading branch information
Sublime Rule Testing Bot
committed
Nov 3, 2023
1 parent
b106ec4
commit 466c120
Showing
1 changed file
with
24 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| name: "Brand impersonation: Microsoft with low reputation links" | ||
| description: "Detects low reputation links with Microsoft specific indicators in the body." | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: "type.inbound\n// suspicious link\nand any(body.links,\n (\n .href_url.domain.root_domain not in $tranco_1m\n or .href_url.domain.domain in $free_file_hosts\n or .href_url.domain.root_domain in $free_subdomain_hosts\n or .href_url.domain.domain in $url_shorteners\n or \n\n // mass mailer link, masks the actual URL\n .href_url.domain.root_domain in (\n \"hubspotlinks.com\",\n \"mandrillapp.com\",\n \"sendgrid.net\",\n \"rs6.net\"\n )\n\n // Google AMP redirect\n or (\n .href_url.domain.sld == \"google\"\n and strings.starts_with(.href_url.path, \"/amp/\")\n )\n )\n\n // exclude sources of potential FPs\n and (\n .href_url.domain.root_domain not in (\n \"svc.ms\",\n \"sharepoint.com\",\n \"1drv.ms\",\n \"microsoft.com\",\n \"aka.ms\",\n \"msftauthimages.net\"\n )\n or any(body.links, .href_url.domain.domain in $free_file_hosts)\n )\n and .href_url.domain.root_domain not in $org_domains\n)\n\n// not a reply\nand (\n length(headers.references) == 0\n or not any(headers.hops, any(.fields, strings.ilike(.name, \"In-Reply-To\")))\n)\n\n// Microsoft logo\nand (\n any(attachments,\n .file_type in $file_types_images\n and any(ml.logo_detect(.).brands, strings.starts_with(.name, \"Microsoft\"))\n )\n or any(ml.logo_detect(beta.message_screenshot()).brands,\n strings.starts_with(.name, \"Microsoft\")\n )\n)\n\n// suspicious content\nand (\n (\n strings.ilike(body.plain.raw,\n \"*password*\",\n \"*document*\",\n \"*voicemail*\",\n \"*cache*\",\n \"*fax*\",\n \"*storage*\",\n \"*quota*\",\n \"*message*\"\n )\n and strings.ilike(body.plain.raw,\n \"*terminated*\",\n \"*review*\",\n \"*expire*\",\n \"*click*\",\n \"*view*\",\n \"*exceed*\",\n \"*clear*\",\n \"*only works*\",\n \"*failed*\",\n \"*deleted*\"\n )\n )\n or (\n any(attachments,\n .file_type in $file_types_images\n and any(file.explode(.),\n strings.ilike(.scan.ocr.raw,\n \"*password*\",\n \"*document*\",\n \"*voicemail*\",\n \"*cache*\",\n \"*fax*\",\n \"*storage*\",\n \"*quota*\",\n \"*messages*\"\n )\n and strings.ilike(.scan.ocr.raw,\n \"*terminated*\",\n \"*review*\",\n \"*expire*\",\n \"*click*\",\n \"*view*\",\n \"*exceed*\",\n \"*clear*\",\n \"*only works*\",\n \"*failed*\",\n \"*deleted*\"\n )\n )\n )\n )\n or (\n any(file.explode(beta.message_screenshot()),\n strings.ilike(.scan.ocr.raw,\n \"*password*\",\n \"*document*\",\n \"*voicemail*\",\n \"*cache*\",\n \"*fax*\",\n \"*storage*\",\n \"*quota*\",\n \"*messages*\"\n )\n and strings.ilike(.scan.ocr.raw,\n \"*terminated*\",\n \"*review*\",\n \"*expire*\",\n \"*click*\",\n \"*view*\",\n \"*exceed*\",\n \"*clear*\",\n \"*only works*\",\n \"*failed*\",\n \"*deleted*\"\n )\n )\n )\n)\n\nand (\n any(ml.nlu_classifier(body.current_thread.text).intents,\n .name == \"cred_theft\" and .confidence in~ (\"medium\", \"high\")\n )\n or any(attachments,\n .file_type in $file_types_images\n and any(file.explode(.),\n any(ml.nlu_classifier(.scan.ocr.raw).intents,\n .name == \"cred_theft\" and .confidence in (\"medium\", \"high\")\n )\n )\n )\n or (\n any(ml.nlu_classifier(body.html.inner_text).entities, .name == \"urgency\")\n and not any(ml.nlu_classifier(body.current_thread.text).intents,\n .name == \"benign\" and .confidence == \"high\"\n )\n )\n)\nand sender.email.domain.root_domain not in (\n \"bing.com\",\n \"microsoft.com\",\n \"microsoftonline.com\",\n \"microsoftsupport.com\",\n \"microsoft365.com\",\n \"office.com\",\n \"onedrive.com\",\n \"sharepointonline.com\",\n \"yammer.com\"\n)\n\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and (\n any(distinct(headers.hops, .authentication_results.dmarc is not null),\n strings.ilike(.authentication_results.dmarc, \"*fail\")\n )\n )\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n" | ||
| attack_types: | ||
| - "Credential Phishing" | ||
| tactics_and_techniques: | ||
| - "Free file host" | ||
| - "Image as content" | ||
| - "Impersonation: Brand" | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Computer Vision" | ||
| - "Content analysis" | ||
| - "File analysis" | ||
| - "Header analysis" | ||
| - "Natural Language Understanding" | ||
| - "Optical Character Recognition" | ||
| - "Sender analysis" | ||
| - "URL analysis" | ||
| id: "b59201b6-f253-55a6-9c0a-e1500a32a751" | ||
| testing_pr: 908 | ||
| testing_sha: 158fc62c9aabf0e4d136775b0a8ea7d824d1c0e5 |