Update credential theft detection

sublime-security · Nov 9, 2023 · 72afcfe · 72afcfe
1 parent b73bfbe
commit 72afcfe
Showing 1 changed file with 30 additions and 23 deletions.
diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml
@@ -256,6 +256,7 @@ source: |
                        "Secretary",
                        "Security",
                        "Service",
+                       "Storage",
                        "Support",
                        "Sweepstakes",
                        "System",
@@ -272,29 +273,35 @@ source: |
                        "Winner",
     )
   )
-  and any(body.links,
-          // is the recipient's email address in the URL?
-          // this method accounts for any encoding we might encounter
-          // in the query_params
-          // this is common in link tracking, both for
-          // benign marketing traffic but also attackers
-          any(recipients.to,
-              .email.domain.valid
-              and strings.icontains(..href_url.url, .email.local_part)
-              and strings.icontains(..href_url.url, .email.domain.domain)
-          )
-  )
-  and any(ml.nlu_classifier(body.current_thread.text).intents,
-          .name == "cred_theft" and .confidence in ("medium", "high")
-  )
-  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
-  and (
-    // freemail providers should never be sending this type of email
-    sender.email.domain.domain in $free_email_providers
-  
-    // if not freemail, it's suspicious if the sender's root domain
-    // doesn't match any links in the body
-    or all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
+  and 3 of (
+    // recipient's email address is in the body
+    any(recipients.to, strings.icontains(body.current_thread.text, .email.email)),
+    // link leads to a suspicious TLD
+    any(body.links,
+        beta.linkanalysis(., mode="aggressive").effective_url.domain.tld in $suspicious_tlds
+    ),
+    // unable to scan -- usually due to CloudFlare or other bot protections
+    any(body.links, beta.linkanalysis(., mode="aggressive").analyzed == false),
+    any(ml.nlu_classifier(body.current_thread.text).intents,
+        .name == "cred_theft" and .confidence in ("medium", "high")
+    ),
+    any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request"),
+    (
+      // freemail providers should never be sending this type of email
+      sender.email.domain.domain in $free_email_providers
+
+      // if not freemail, it's suspicious if the sender's root domain
+      // doesn't match any links in the body
+      or all(body.links,
+             .href_url.domain.root_domain != sender.email.domain.root_domain
+      )
+    ),
+    // in case it's embedded in an image attachment
+    any(file.explode(beta.message_screenshot()),
+        any(ml.nlu_classifier(.scan.ocr.raw).intents,
+            .name == "cred_theft" and .confidence == "high"
+        )
+    )
   )
   and (
     profile.by_sender().prevalence in ("new", "outlier")