-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New Rule: Credential Phishing Suspicious subject with urgent financial (
#1071) Co-authored-by: ID Generator <[email protected]> Co-authored-by: Josh Kamdjou <[email protected]>
- Loading branch information
3 people
authored
Dec 12, 2023
1 parent
ecf32d9
commit 7ab6951
Showing
1 changed file
with
267 additions
and
0 deletions.
There are no files selected for viewing
267 changes: 267 additions & 0 deletions
267
detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,267 @@ | ||
| name: "Credential Phishing: Suspicious subject with urgent financial request and link" | ||
| description: "This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender." | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: | | ||
| type.inbound | ||
| and 0 < length(body.links) < 5 | ||
| // ignore emails in body | ||
| and not all(body.links, .href_url.domain.domain in $free_email_providers) | ||
| and length(body.current_thread.text) < 2000 | ||
| and length(subject.subject) < 100 | ||
| // and suspicious subject | ||
| and regex.icontains(subject.subject, | ||
| // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects_regex.txt | ||
| "termination.*notice", | ||
| "38417", | ||
| ":completed", | ||
| "[il1]{2}mit.*ma[il1]{2} ?bo?x", | ||
| "[il][il][il]egai[ -]", | ||
| "[li][li][li]ega[li] attempt", | ||
| "[ng]-?[io]n .*block", | ||
| "[ng]-?[io]n .*cancel", | ||
| "[ng]-?[io]n .*deactiv", | ||
| "[ng]-?[io]n .*disabl", | ||
| "action.*required", | ||
| "abandon.*package", | ||
| "about.your.account", | ||
| "acc(ou)?n?t (is )?on ho[li]d", | ||
| "acc(ou)?n?t.*terminat", | ||
| "acc(oun)?t.*[il1]{2}mitation", | ||
| "access.*limitation", | ||
| "account (will be )?block", | ||
| "account.*de-?activat", | ||
| "account.*locked", | ||
| "account.*re-verification", | ||
| "account.*security", | ||
| "account.*suspension", | ||
| "account.has.been", | ||
| "account.has.expired", | ||
| "account.will.be.blocked", | ||
| "account v[il]o[li]at", | ||
| "activity.*acc(oun)?t", | ||
| "almost.full", | ||
| "app[li]e.[il]d", | ||
| "authenticate.*account", | ||
| "been.*suspend", | ||
| "clos.*of.*account.*processed", | ||
| "confirm.your.account", | ||
| "courier.*able", | ||
| "deactivation.*in.*progress", | ||
| "delivery.*attempt.*failed", | ||
| "document.received", | ||
| "documented.*shared.*with.*you", | ||
| "dropbox.*document", | ||
| "e-?ma[il1]+ .{010}suspen", | ||
| "e-?ma[il1]{1} user", | ||
| "e-?ma[il1]{2} acc", | ||
| "e-?ma[il1]{2}.*up.?grade", | ||
| "e.?ma[il1]{2}.*server", | ||
| "e.?ma[il1]{2}.*suspend", | ||
| "email.update", | ||
| "faxed you", | ||
| "fraud(ulent)?.*charge", | ||
| "from.helpdesk", | ||
| "fu[il1]{2}.*ma[il1]+[ -]?box", | ||
| "has.been.*suspended", | ||
| "has.been.limited", | ||
| "have.locked", | ||
| "he[li]p ?desk upgrade", | ||
| "heipdesk", | ||
| "i[il]iega[il]", | ||
| "ii[il]ega[il]", | ||
| "incoming e?mail", | ||
| "incoming.*fax", | ||
| "lock.*security", | ||
| "ma[il1]{1}[ -]?box.*quo", | ||
| "ma[il1]{2}[ -]?box.*fu[il1]", | ||
| "ma[il1]{2}box.*[il1]{2}mit", | ||
| "ma[il1]{2}box stor", | ||
| "mail on.?hold", | ||
| "mail.*box.*migration", | ||
| "mail.*de-?activat", | ||
| "mail.update.required", | ||
| "mails.*pending", | ||
| "messages.*pending", | ||
| "missed.*shipping.*notification", | ||
| "missed.shipment.notification", | ||
| "must.update.your.account", | ||
| "new [sl][io]g?[nig][ -]?in from", | ||
| "new voice ?-?mail", | ||
| "notifications.*pending", | ||
| "office.*3.*6.*5.*suspend", | ||
| "office365", | ||
| "on google docs with you", | ||
| "online doc", | ||
| "password.*compromised", | ||
| "periodic maintenance", | ||
| "potential(ly)? unauthorized", | ||
| "refund not approved", | ||
| "revised.*policy", | ||
| "scam", | ||
| "scanned.?invoice", | ||
| "secured?.update", | ||
| "security breach", | ||
| "securlty", | ||
| "signed.*delivery", | ||
| "status of your .{314}? ?delivery", | ||
| "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty", | ||
| "suspicious.*sign.*[io]n", | ||
| "suspicious.activit", | ||
| "temporar(il)?y deactivate", | ||
| "temporar[il1]{2}y disab[li]ed", | ||
| "temporarily.*lock", | ||
| "un-?usua[li].activity", | ||
| "unable.*deliver", | ||
| "unauthorized.*activit", | ||
| "unauthorized.device", | ||
| "unauthorized.sign.?in", | ||
| "unrecognized.*activit", | ||
| "unrecognized.sign.?in", | ||
| "unrecognized.*activit", | ||
| "undelivered message", | ||
| "unread.*doc", | ||
| "unusual.activity", | ||
| "upgrade.*account", | ||
| "upgrade.notice", | ||
| "urgent message", | ||
| "urgent.verification", | ||
| "v[il1]o[li1]at[il1]on security", | ||
| "va[il1]{1}date.*ma[il1]{2}[ -]?box", | ||
| "verification ?-?require", | ||
| "verification( )?-?need", | ||
| "verify.your?.account", | ||
| "web ?-?ma[il1]{2}", | ||
| "web[ -]?ma[il1]{2}", | ||
| "will.be.suspended", | ||
| "your (customer )?account .as", | ||
| "your.office.365", | ||
| "your.online.access", | ||
| // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt | ||
| "account has been limited", | ||
| "action required", | ||
| "almost full", | ||
| "apd notifi cation", | ||
| "are you at your desk", | ||
| "are you available", | ||
| "attached file to docusign", | ||
| "banking is temporarily unavailable", | ||
| "bankofamerica", | ||
| "closing statement invoice", | ||
| "completed: docusign", | ||
| "de-activation of", | ||
| "delivery attempt", | ||
| "delivery stopped for shipment", | ||
| "detected suspicious", | ||
| "detected suspicious actvity", | ||
| "docu sign", | ||
| "document for you", | ||
| "document has been sent to you via docusign", | ||
| "document is ready for signature", | ||
| "docusign", | ||
| "encrypted message", | ||
| "failed delivery", | ||
| "fedex tracking", | ||
| "file was shared", | ||
| "freefax", | ||
| "fwd: due invoice paid", | ||
| "has shared", | ||
| "inbox is full", | ||
| "invitation to comment", | ||
| "invitation to edit", | ||
| "invoice due", | ||
| "left you a message", | ||
| "message from", | ||
| "new message", | ||
| "new voicemail", | ||
| "on desk", | ||
| "out of space", | ||
| "password reset", | ||
| "payment status", | ||
| "quick reply", | ||
| "re: w-2", | ||
| "required", | ||
| "required: completed docusign", | ||
| "ringcentral", | ||
| "scanned image", | ||
| "secured files", | ||
| "secured pdf", | ||
| "security alert", | ||
| "new sign-in", | ||
| "new sign in", | ||
| "sign-in attempt", | ||
| "sign in attempt", | ||
| "staff review", | ||
| "suspicious activity", | ||
| "unrecognized login attempt", | ||
| "upgrade immediately", | ||
| "urgent", | ||
| "wants to share", | ||
| "w2", | ||
| "you have notifications pending", | ||
| "your account", | ||
| "your amazon order", | ||
| "your document settlement", | ||
| "your order with amazon", | ||
| "your password has been compromised", | ||
| ) | ||
| // language attempting to engage | ||
| and any(ml.nlu_classifier(body.current_thread.text).entities, | ||
| .name == "request" | ||
| ) | ||
| // financial request | ||
| and any(ml.nlu_classifier(body.current_thread.text).entities, | ||
| .name == "financial" | ||
| ) | ||
| // urgency request | ||
| and any(ml.nlu_classifier(body.current_thread.text).entities, | ||
| .name == "urgency" | ||
| ) | ||
| // org presence | ||
| and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org") | ||
| // not a reply | ||
| and ( | ||
| not strings.istarts_with(subject.subject, "re:") | ||
| and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) | ||
| ) | ||
| // the message is unsolicited and no false positives | ||
| and ( | ||
| not profile.by_sender().solicited | ||
| or profile.by_sender().any_messages_malicious_or_spam | ||
| ) | ||
| and not profile.by_sender().any_false_positives | ||
| // negate highly trusted sender domains unless they fail DMARC authentication | ||
| and ( | ||
| ( | ||
| sender.email.domain.root_domain in $high_trust_sender_root_domains | ||
| and ( | ||
| any(distinct(headers.hops, .authentication_results.dmarc is not null), | ||
| strings.ilike(.authentication_results.dmarc, "*fail") | ||
| ) | ||
| ) | ||
| ) | ||
| or sender.email.domain.root_domain not in $high_trust_sender_root_domains | ||
| ) | ||
| attack_types: | ||
| - "Credential Phishing" | ||
| tactics_and_techniques: | ||
| - "Impersonation: Brand" | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Content analysis" | ||
| - "Header analysis" | ||
| - "Natural Language Understanding" | ||
| - "Sender analysis" | ||
| id: "056464f4-7a16-5f07-ab86-912e0a64ecae" |