Merge branch 'main' into sam.adobe.qrcode

sublime-security · Nov 9, 2023 · 7744636 · 7744636
2 parents 2ddcf82 + 0044f73
commit 7744636
Show file tree

Hide file tree

Showing 3 changed files with 227 additions and 14 deletions.
diff --git a/detection-rules/attachment_docusign_image_lure_qr_code.yml b/detection-rules/attachment_docusign_image_lure_qr_code.yml
@@ -0,0 +1,91 @@
+name: "Brand impersonation: DocuSign (QR code)"
+description: "Detects messages using DocuSign image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (.file_type in $file_types_images or .file_type == "pdf")
+          and (
+            any(ml.logo_detect(.).brands,
+                .name == "DocuSign" and .confidence in ("medium", "high")
+            )
+            or any(ml.logo_detect(beta.message_screenshot()).brands,
+                   .name == "DocuSign"
+            )
+          )
+  )
+  and any(attachments,
+          (
+            .file_type in $file_types_images
+            or .file_type == "pdf"
+            or .file_type in $file_extensions_macros
+          )
+          and (
+            any(file.explode(.),
+                regex.icontains(.scan.ocr.raw, 'scan|camera')
+                and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
+            )
+            or (
+              any(file.explode(.),
+                  .scan.qr.type == "url"
+                  // recipient email address is present in the URL, a common tactic used in credential phishing attacks 
+                  and any(recipients.to,
+                          strings.icontains(..scan.qr.data, .email.email)
+  
+                          // the recipients sld is in the senders display name
+                          or any(recipients.to,
+                                 strings.icontains(sender.display_name,
+                                                   .email.domain.sld
+                                 )
+                          )
+  
+                          // the recipient local is in the body  
+                          or any(recipients.to,
+                                 strings.icontains(body.current_thread.text,
+                                                   .email.local_part
+                                 )
+                          )
+  
+                          // or the body is null 
+                          or body.current_thread.text is null
+                          or body.current_thread.text == ""
+  
+                          // or the subject contains authentication/urgency verbiage
+                          or regex.contains(subject.subject,
+                                            "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
+                          )
+                  )
+              )
+            )
+          )
+  )
+  
+  and (
+    not any(headers.hops,
+            .authentication_results.compauth.verdict is not null
+            and .authentication_results.compauth.verdict == "pass"
+            and sender.email.domain.root_domain in ("docusign.net", "docusign.com")
+    )
+  )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+  
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "PDF"
+  - "QR code"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Header analysis"
+  - "QR code analysis"
+  - "Sender analysis"
+id: "0b16c28a-3f7e-5a90-bea5-473198424431"
diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml
@@ -256,6 +256,7 @@ source: |
                        "Secretary",
                        "Security",
                        "Service",
+                       "Storage",
                        "Support",
                        "Sweepstakes",
                        "System",
@@ -272,7 +273,9 @@ source: |
                        "Winner",
     )
   )
-  and any(body.links,
+  and (
+    4 of (
+      any(body.links,
           // is the recipient's email address in the URL?
           // this method accounts for any encoding we might encounter
           // in the query_params
@@ -283,21 +286,46 @@ source: |
               and strings.icontains(..href_url.url, .email.local_part)
               and strings.icontains(..href_url.url, .email.domain.domain)
           )
-  )
-  and any(ml.nlu_classifier(body.current_thread.text).intents,
-          .name == "cred_theft" and .confidence in ("medium", "high")
-  )
-  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
-  and (
-    // freemail providers should never be sending this type of email
-    sender.email.domain.domain in $free_email_providers
-  
-    // if not freemail, it's suspicious if the sender's root domain
-    // doesn't match any links in the body
-    or all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
+      ),
+      any(ml.nlu_classifier(body.current_thread.text).intents,
+              .name == "cred_theft" and .confidence in ("medium", "high")
+      ),
+      any(ml.nlu_classifier(body.current_thread.text).entities,
+              .name == "request"
+      ),
+      (
+        // freemail providers should never be sending this type of email
+        sender.email.domain.domain in $free_email_providers
+
+        // if not freemail, it's suspicious if the sender's root domain
+        // doesn't match any links in the body
+        or all(body.links,
+               .href_url.domain.root_domain != sender.email.domain.root_domain
+        )
+      ),
+      // in case it's embedded in an image attachment
+      any(file.explode(beta.message_screenshot()),
+              any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                  .name == "cred_theft" and .confidence == "high"
+              )
+      )
+    )
+    or (
+      // recipient's email address is in the body
+      any(recipients.to,
+          strings.icontains(body.current_thread.text, .email.email)
+      )
+      // link leads to a suspicious TLD
+      and any(body.links,
+              beta.linkanalysis(., mode="aggressive").effective_url.domain.tld in $suspicious_tlds
+      )
+    )
   )
   and (
-    profile.by_sender().prevalence in ("new", "outlier")
+    (
+      profile.by_sender().prevalence in ("new", "outlier")
+      and not profile.by_sender().solicited
+    )
     or (
       profile.by_sender().any_messages_malicious_or_spam
       and not profile.by_sender().any_false_positives

diff --git a/detection-rules/link_quickbooks_image_lure_suspicious_link.yml b/detection-rules/link_quickbooks_image_lure_suspicious_link.yml
@@ -0,0 +1,94 @@
+name: "Link: QuickBooks image lure with suspicious link"
+description: "This rule detects messages with image attachments containing QuickBooks logo containing exactly 1 link to a suspicious URL. "
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(attachments) < 3
+  and any(attachments,
+          .file_type in $file_types_images
+          and any(ml.logo_detect(.).brands, .name == "Quickbooks")
+  )
+  and length(body.links) == 1
+  and (
+    // body text is very short
+    (
+      0 <= (length(body.current_thread.text)) < 10
+      or body.current_thread.text is null
+    )
+    or (
+      length(body.current_thread.text) < 900
+      // or body is most likely all warning banner (text contains the sender and common warning banner language)
+      and (
+        regex.icontains(body.current_thread.text,
+                        'caution|confidentiality notice|warning'
+        )
+      )
+    )
+  )
+  
+  // suspicious link
+  and any(body.links,
+          (
+            .href_url.domain.root_domain not in $tranco_1m
+            or .href_url.domain.domain in $free_file_hosts
+            or .href_url.domain.root_domain in $free_subdomain_hosts
+            or .href_url.domain.domain in $url_shorteners
+            or 
+  
+            // mass mailer link, masks the actual URL
+            .href_url.domain.root_domain in (
+              "hubspotlinks.com",
+              "mandrillapp.com",
+              "sendgrid.net",
+              "rs6.net"
+            )
+          )
+  
+          // exclude sources of potential FPs
+          and (
+            .href_url.domain.root_domain not in (
+              "svc.ms",
+              "sharepoint.com",
+              "1drv.ms",
+              "microsoft.com",
+              "aka.ms",
+              "msftauthimages.net",
+              "intuit.com",
+              "turbotax.com",
+              "intuit.ca"
+            )
+            or any(body.links, .href_url.domain.domain in $free_file_hosts)
+          )
+          and .href_url.domain.root_domain not in $org_domains
+  )
+  and sender.email.domain.root_domain not in~ (
+    'intuit.com',
+    'turbotax.com',
+    'intuit.ca'
+  )
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "File analysis"
+  - "Optical Character Recognition"
+  - "URL analysis"
+id: "3826a923-865e-5d87-82e4-0c1f8434efc0"