Merge branch 'main' into sam.ms.lowrep

sublime-security · Sep 18, 2023 · 7e437eb · 7e437eb
2 parents de85830 + bf62f17
commit 7e437eb
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 4 deletions.
diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml
@@ -25,9 +25,15 @@ source: |
       and sender.email.domain.root_domain in $free_email_providers
     )
   )
+  // negate listservs
+  and not (
+      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
+      and strings.contains(sender.display_name, "via")
+  )
   and sender.email.domain.root_domain not in~ (
     'amazon.com',
     'amazon.com.au',
+    'amazon.com.be',
     'amazon.co.uk',
     'amazon.de',
     'amazon.es',

diff --git a/detection-rules/impersonation_github.yml b/detection-rules/impersonation_github.yml
@@ -13,6 +13,11 @@ source: |
     or strings.ilike(sender.email.email, '*github*')
     or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
   )
+  // negating listservs
+  and not (
+      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
+      and strings.contains(sender.display_name, "via")
+  )
   and sender.email.domain.root_domain not in (
     'github.com',
     'gitlab.com',

diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml
@@ -279,7 +279,8 @@ source: |
           // this is common in link tracking, both for
           // benign marketing traffic but also attackers
           any(recipients.to,
-              strings.icontains(..href_url.url, .email.local_part)
+              .email.domain.valid
+              and strings.icontains(..href_url.url, .email.local_part)
               and strings.icontains(..href_url.url, .email.domain.domain)
           )
   )
@@ -290,12 +291,12 @@ source: |
   and (
     // freemail providers should never be sending this type of email
     sender.email.domain.domain in $free_email_providers
-
+  
     // if not freemail, it's suspicious if the sender's root domain
     // doesn't match any links in the body
     or all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
   )
-
+  
   // first-time sender
   and (
     (

diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml
@@ -11,7 +11,7 @@ source: |
   // check image attachments for QR code, will want to add message.screenshot functionality here when it's ready
   // and length(attachments) < 10
   and any(attachments,
-          .file_type in $file_types_images
+          (.file_type in $file_types_images or .file_type == "pdf")
           and any(file.explode(.),
                   .scan.qr.type == "url"