Tighten up X impersonation (#918)

sublime-security · Nov 5, 2023 · 482cc75 · 482cc75
1 parent 500df97
commit 482cc75
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/detection-rules/impersonation_dhl.yml b/detection-rules/impersonation_dhl.yml
@@ -22,7 +22,8 @@ source: |
     'dhl.co.uk',
     'dpdhl.com',
     'dhl.de',
-    'dhl.fr'
+    'dhl.fr',
+    'dhlending.com'
   )
   and (
     profile.by_sender().prevalence in ("new", "outlier")

diff --git a/detection-rules/impersonation_x_with_credphish_nlu.yml b/detection-rules/impersonation_x_with_credphish_nlu.yml
@@ -7,7 +7,7 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  and (sender.display_name =~ "x" or sender.email.local_part =~ "x")
+  and sender.display_name =~ "x"
   and sender.email.domain.root_domain not in ("twitter.com", "x.com")
   and (
     any(attachments,
@@ -22,6 +22,28 @@ source: |
            .name == "cred_theft" and .confidence != "low"
     )
   )
+
+  // sender profile is new or outlier
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: