From 4ee2553c35b41006d3714e9607d184f6ab6171ac Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Thu, 7 Dec 2023 14:25:37 -0800
Subject: [PATCH] Restoring rule + adding unsolicited (#1110)

---
 .../link_content_credential_phishing.yml      | 47 +++++++++----------
 1 file changed, 21 insertions(+), 26 deletions(-)

diff --git a/detection-rules/link_content_credential_phishing.yml b/detection-rules/link_content_credential_phishing.yml
index e89b1aa4ebe..50d1638f1b1 100644
--- a/detection-rules/link_content_credential_phishing.yml
+++ b/detection-rules/link_content_credential_phishing.yml
@@ -6,32 +6,27 @@ type: "rule"
 severity: "high"
 source: |
   type.inbound
-  and any(attachments,
-          (
-            // office files
-            .file_extension in~ $file_extensions_macros
-            or .file_extension in~ $file_extensions_common_archives
-            or (
-              .file_extension is null
-              and .file_type == "unknown"
-              and .content_type == "application/octet-stream"
-              and .size < 100000
-            )
-          )
-          and (
-            any(file.explode(.),
-                (
-                  any(.scan.strings.strings,
-                      strings.ilike(., '*URLDownloadToFile*')
-                  )
-                  and any(.scan.strings.strings, strings.ilike(., '*Auto_Open*'))
-                )
-                or any(.scan.strings.strings,
-                       regex.icontains(.,
-                                       'C:\\[A-Za-z]{7}\\[A-Za-z]{7}\\[A-Za-z]{7}'
-                       )
-                )
-            )
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).intents,
+        .name == "cred_theft" and .confidence in ("medium", "high")
+    )
+    // embedded in an image attachment
+    // note: don't use message_screenshot() for now
+    // because it's not limited to current_thread and may FP
+    or any(attachments,
+           .file_type in $file_types_images
+           and any(file.explode(.),
+                   any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                       .name == "cred_theft" and .confidence in ("medium", "high")
+                   )
+           )
+    )
+  )
+  and any(body.links,
+          beta.linkanalysis(., mode="aggressive").credphish.disposition == "phishing"
+          and beta.linkanalysis(., mode="aggressive").credphish.confidence in (
+            "medium",
+            "high"
           )
   )
   and (