Skip to content

Commit

Permalink
Adding header/content signals, moving attachment signals to attachmen…
Browse files Browse the repository at this point in the history
…ts dir (#666)
  • Loading branch information
morriscode authored Aug 16, 2023
1 parent e12e8de commit 7228764
Show file tree
Hide file tree
Showing 13 changed files with 86 additions and 0 deletions.
File renamed without changes.
File renamed without changes.
13 changes: 13 additions & 0 deletions signals/content/body_tracking_pixel.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: "Tracking pixel in HTML body"
type: "query"
source: |
(
// standard html
regex.contains(body.html.raw,
'<img[^>]*?width="1(px)?"[^>]*?height="1(px)?"[^>]*?style="[^"]*(visibility:hidden|display:none)[^"]*"[^>]*?>'
)
// handle quoted printable variants
or regex.contains(body.html.raw,
'<img\s+width=3D"1"\s+height=3D"1"\s+src=3D"http[^"]+\.(gif|jpg|jpeg|png|bmp)">'
)
)
9 changes: 9 additions & 0 deletions signals/headers/headers_fake_thread.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
name: "Fake message thread"
type: "query"
source: |
type.inbound
and strings.istarts_with(subject.subject, "RE:")
and (
length(headers.references) == 0
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
7 changes: 7 additions & 0 deletions signals/headers/headers_gmail_autoforward.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
name: "Gmail Auto-Forward"
type: "query"
source: |
any([headers.return_path.email],
strings.ilike(headers.return_path.local_part, "*+caf_=*") and type.inbound
)
8 changes: 8 additions & 0 deletions signals/headers/headers_microsoft_scl.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
name: "Microsoft SCL"
type: "query"
source: |
filter(
map(headers.hops,
map(filter(.fields, .name =~ "X-ms-exchange-organization-scl"), .value)
), length(.) > 0
)
7 changes: 7 additions & 0 deletions signals/headers/headers_mismatched_from_reply_to.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
name: "Mismatched From and Reply-to Doms"
type: "query"
source: |
any(headers.reply_to,
length(headers.reply_to) > 0
and all(headers.reply_to, .email.domain.root_domain != sender.email.domain.root_domain)
)
8 changes: 8 additions & 0 deletions signals/headers/headers_mismatched_from_return_path.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
name: "Mismatched From and Return-Path"
type: "query"
source: |
any([headers.return_path.email],
(headers.return_path.email is not null
and headers.return_path.email != sender.email.email
and type.inbound)
)
16 changes: 16 additions & 0 deletions signals/headers/headers_phishing_simulation_cofense.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: "Cofense PhishMe phishing simulation"
type: "query"
source: |
any(headers.ips, .ip in (
"13.113.166.58",
"35.182.57.68",
"52.1.96.230",
"52.20.128.29",
"52.20.155.14",
"52.28.182.143",
"52.28.252.18",
"52.29.24.224",
"52.29.5.79",
"52.5.119.169",
"52.62.59.61",
))
4 changes: 4 additions & 0 deletions signals/headers/headers_phishing_simulation_hoxhunt.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
name: "HoxHunt phishing simulation"
type: "query"
source: |
any(headers.hops, strings.ends_with(.signature.domain, ".hoxhuntsigning.com"))
4 changes: 4 additions & 0 deletions signals/headers/headers_phishing_simulation_knowbe4.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
name: "KnowBe4 phishing simulation"
type: "query"
source: |
any(headers.ips, regex.match(.ip, '147\.10\.167\.([0-9]|[0-5][0-9]|6[0-3])', '23.21.109.(197|212)', '52.49.(201.246|235.189)'))
6 changes: 6 additions & 0 deletions signals/headers/headers_undisclosed_recipients.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
name: "Undisclosed Recipients"
type: "query"
source: |
any([recipients.to, recipients.bcc, recipients.cc],
any(., .display_name =~ "Undisclosed recipients:")
)
4 changes: 4 additions & 0 deletions signals/headers/headers_x_originating_ip.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
name: "X-Originating-IP"
type: "query"
source: |
headers.x_originating_ip.ip

0 comments on commit 7228764

Please sign in to comment.