-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into sam.trusted_senders
- Loading branch information
Showing
1 changed file
with
46 additions
and
0 deletions.
There are no files selected for viewing
46 changes: 46 additions & 0 deletions
46
detection-rules/attachment_pdf_docusign_impersonation_new_domain.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
name: "Attachment: DocuSign Impersonation (PDF) linking to New Domain <=3d" | ||
description: "This rule detects PDF files containing a DocuSign logo linking to a newly created domain (Less than or equal to 3 days)" | ||
type: "rule" | ||
severity: "medium" | ||
source: | | ||
type.inbound | ||
and any(attachments, | ||
.file_type == "pdf" | ||
and any(ml.logo_detect(.).brands, .name == "DocuSign") | ||
and any(file.explode(.), any(.scan.pdf.urls, beta.whois(.domain).days_old <= 3)) | ||
) | ||
// negate legitimate docusign infrastructure | ||
and | ||
( | ||
( | ||
sender.email.domain.root_domain in ('docusign.net', 'docusign.com') | ||
and ( | ||
any(distinct(headers.hops, .authentication_results.dmarc is not null), | ||
strings.ilike(.authentication_results.dmarc, "*fail") | ||
) | ||
) | ||
) | ||
or sender.email.domain.root_domain not in ('docusign.net', 'docusign.com') | ||
) | ||
// excludes senders that contain "via" in the display name a resilient way | ||
and not ( | ||
any(headers.hops, | ||
any(.fields, .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")) | ||
) | ||
) | ||
attack_types: | ||
- "Credential Phishing" | ||
tactics_and_techniques: | ||
- "Impersonation: Brand" | ||
- "PDF" | ||
- "Social engineering" | ||
detection_methods: | ||
- "Header analysis" | ||
- "Sender analysis" | ||
- "URL analysis" | ||
- "File analysis" | ||
- "Computer Vision" | ||
- "Whois" | ||
id: "f0c96282-6eb9-5e84-aa9d-a48f66db5a74" |