From 7ab6951ecc1c39b6646382e7adda69382ee4ebb3 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 11 Dec 2023 20:45:23 -0500 Subject: [PATCH] New Rule: Credential Phishing Suspicious subject with urgent financial (#1071) Co-authored-by: ID Generator Co-authored-by: Josh Kamdjou --- ...uspicious_subject_nlu_financial_urgent.yml | 267 ++++++++++++++++++ 1 file changed, 267 insertions(+) create mode 100644 detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml diff --git a/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml new file mode 100644 index 00000000000..cce6d5299ae --- /dev/null +++ b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml @@ -0,0 +1,267 @@ +name: "Credential Phishing: Suspicious subject with urgent financial request and link" +description: "This rule inspects messages where the subject is suspicious with less than 5 links and a relatively short body. Natural Language Understanding is being used to identify the inclusion of a financial, request, urgency and org entity from an unsolicited sender." +type: "rule" +severity: "medium" +source: | + type.inbound + and 0 < length(body.links) < 5 + + // ignore emails in body + and not all(body.links, .href_url.domain.domain in $free_email_providers) + + and length(body.current_thread.text) < 2000 + and length(subject.subject) < 100 + + // and suspicious subject + and regex.icontains(subject.subject, + // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects_regex.txt + "termination.*notice", + "38417", + ":completed", + "[il1]{2}mit.*ma[il1]{2} ?bo?x", + "[il][il][il]egai[ -]", + "[li][li][li]ega[li] attempt", + "[ng]-?[io]n .*block", + "[ng]-?[io]n .*cancel", + "[ng]-?[io]n .*deactiv", + "[ng]-?[io]n .*disabl", + "action.*required", + "abandon.*package", + "about.your.account", + "acc(ou)?n?t (is )?on ho[li]d", + "acc(ou)?n?t.*terminat", + "acc(oun)?t.*[il1]{2}mitation", + "access.*limitation", + "account (will be )?block", + "account.*de-?activat", + "account.*locked", + "account.*re-verification", + "account.*security", + "account.*suspension", + "account.has.been", + "account.has.expired", + "account.will.be.blocked", + "account v[il]o[li]at", + "activity.*acc(oun)?t", + "almost.full", + "app[li]e.[il]d", + "authenticate.*account", + "been.*suspend", + "clos.*of.*account.*processed", + "confirm.your.account", + "courier.*able", + "deactivation.*in.*progress", + "delivery.*attempt.*failed", + "document.received", + "documented.*shared.*with.*you", + "dropbox.*document", + "e-?ma[il1]+ .{010}suspen", + "e-?ma[il1]{1} user", + "e-?ma[il1]{2} acc", + "e-?ma[il1]{2}.*up.?grade", + "e.?ma[il1]{2}.*server", + "e.?ma[il1]{2}.*suspend", + "email.update", + "faxed you", + "fraud(ulent)?.*charge", + "from.helpdesk", + "fu[il1]{2}.*ma[il1]+[ -]?box", + "has.been.*suspended", + "has.been.limited", + "have.locked", + "he[li]p ?desk upgrade", + "heipdesk", + "i[il]iega[il]", + "ii[il]ega[il]", + "incoming e?mail", + "incoming.*fax", + "lock.*security", + "ma[il1]{1}[ -]?box.*quo", + "ma[il1]{2}[ -]?box.*fu[il1]", + "ma[il1]{2}box.*[il1]{2}mit", + "ma[il1]{2}box stor", + "mail on.?hold", + "mail.*box.*migration", + "mail.*de-?activat", + "mail.update.required", + "mails.*pending", + "messages.*pending", + "missed.*shipping.*notification", + "missed.shipment.notification", + "must.update.your.account", + "new [sl][io]g?[nig][ -]?in from", + "new voice ?-?mail", + "notifications.*pending", + "office.*3.*6.*5.*suspend", + "office365", + "on google docs with you", + "online doc", + "password.*compromised", + "periodic maintenance", + "potential(ly)? unauthorized", + "refund not approved", + "revised.*policy", + "scam", + "scanned.?invoice", + "secured?.update", + "security breach", + "securlty", + "signed.*delivery", + "status of your .{314}? ?delivery", + "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty", + "suspicious.*sign.*[io]n", + "suspicious.activit", + "temporar(il)?y deactivate", + "temporar[il1]{2}y disab[li]ed", + "temporarily.*lock", + "un-?usua[li].activity", + "unable.*deliver", + "unauthorized.*activit", + "unauthorized.device", + "unauthorized.sign.?in", + "unrecognized.*activit", + "unrecognized.sign.?in", + "unrecognized.*activit", + "undelivered message", + "unread.*doc", + "unusual.activity", + "upgrade.*account", + "upgrade.notice", + "urgent message", + "urgent.verification", + "v[il1]o[li1]at[il1]on security", + "va[il1]{1}date.*ma[il1]{2}[ -]?box", + "verification ?-?require", + "verification( )?-?need", + "verify.your?.account", + "web ?-?ma[il1]{2}", + "web[ -]?ma[il1]{2}", + "will.be.suspended", + "your (customer )?account .as", + "your.office.365", + "your.online.access", + + // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt + "account has been limited", + "action required", + "almost full", + "apd notifi cation", + "are you at your desk", + "are you available", + "attached file to docusign", + "banking is temporarily unavailable", + "bankofamerica", + "closing statement invoice", + "completed: docusign", + "de-activation of", + "delivery attempt", + "delivery stopped for shipment", + "detected suspicious", + "detected suspicious actvity", + "docu sign", + "document for you", + "document has been sent to you via docusign", + "document is ready for signature", + "docusign", + "encrypted message", + "failed delivery", + "fedex tracking", + "file was shared", + "freefax", + "fwd: due invoice paid", + "has shared", + "inbox is full", + "invitation to comment", + "invitation to edit", + "invoice due", + "left you a message", + "message from", + "new message", + "new voicemail", + "on desk", + "out of space", + "password reset", + "payment status", + "quick reply", + "re: w-2", + "required", + "required: completed docusign", + "ringcentral", + "scanned image", + "secured files", + "secured pdf", + "security alert", + "new sign-in", + "new sign in", + "sign-in attempt", + "sign in attempt", + "staff review", + "suspicious activity", + "unrecognized login attempt", + "upgrade immediately", + "urgent", + "wants to share", + "w2", + "you have notifications pending", + "your account", + "your amazon order", + "your document settlement", + "your order with amazon", + "your password has been compromised", + ) + + // language attempting to engage + and any(ml.nlu_classifier(body.current_thread.text).entities, + .name == "request" + ) + + // financial request + and any(ml.nlu_classifier(body.current_thread.text).entities, + .name == "financial" + ) + + // urgency request + and any(ml.nlu_classifier(body.current_thread.text).entities, + .name == "urgency" + ) + + // org presence + and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org") + + // not a reply + and ( + not strings.istarts_with(subject.subject, "re:") + and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) + + // the message is unsolicited and no false positives + and ( + not profile.by_sender().solicited + or profile.by_sender().any_messages_malicious_or_spam + ) + and not profile.by_sender().any_false_positives + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Sender analysis" +id: "056464f4-7a16-5f07-ab86-912e0a64ecae"