diff --git a/detection-rules/link_content_credential_phishing.yml b/detection-rules/link_content_credential_phishing.yml index e89b1aa4ebe..50d1638f1b1 100644 --- a/detection-rules/link_content_credential_phishing.yml +++ b/detection-rules/link_content_credential_phishing.yml @@ -6,32 +6,27 @@ type: "rule" severity: "high" source: | type.inbound - and any(attachments, - ( - // office files - .file_extension in~ $file_extensions_macros - or .file_extension in~ $file_extensions_common_archives - or ( - .file_extension is null - and .file_type == "unknown" - and .content_type == "application/octet-stream" - and .size < 100000 - ) - ) - and ( - any(file.explode(.), - ( - any(.scan.strings.strings, - strings.ilike(., '*URLDownloadToFile*') - ) - and any(.scan.strings.strings, strings.ilike(., '*Auto_Open*')) - ) - or any(.scan.strings.strings, - regex.icontains(., - 'C:\\[A-Za-z]{7}\\[A-Za-z]{7}\\[A-Za-z]{7}' - ) - ) - ) + and ( + any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "cred_theft" and .confidence in ("medium", "high") + ) + // embedded in an image attachment + // note: don't use message_screenshot() for now + // because it's not limited to current_thread and may FP + or any(attachments, + .file_type in $file_types_images + and any(file.explode(.), + any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "cred_theft" and .confidence in ("medium", "high") + ) + ) + ) + ) + and any(body.links, + beta.linkanalysis(., mode="aggressive").credphish.disposition == "phishing" + and beta.linkanalysis(., mode="aggressive").credphish.confidence in ( + "medium", + "high" ) ) and (