Update Rule: Update link_credential_phishing_voicemail_language.yml

Expanding rule to pick up FN's. Notable improvement. 185 messages found 36 Already Flagged Will run test rules, but hunts in multiple environments look great.
sublime-security · Sep 25, 2023 · 8341a66 · 8341a66
1 parent 8a09102
commit 8341a66
Showing 1 changed file with 12 additions and 6 deletions.
diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml
@@ -1,25 +1,23 @@
 name: "Fake voicemail notification (unsolicited)"
 description: |
   This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve.
-  The rule ensures at least a single link is present with either voicemail in the display name, body, subject or a combination of those elements with a medium to high credential theft NLU Intent from an unsolicited sender.
+  The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from an unsolicited sender.
 type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  and length(body.links) > 0
   
   // voicemail related
-  and (
-    regex.icontains(body.current_thread.text, 'voice\s?(mail|message|recording|call)')
-    or (regex.icontains(subject.subject, 'voice\s?(mail|message|recording|call)'))
+  and any([subject.subject, sender.display_name],
+          regex.icontains(., 'voice\s?(mail|message|recording|call)|transcription')
   )
   and 2 of (
     (
       any(ml.nlu_classifier(body.current_thread.text).intents,
           .name in ("cred_theft") and .confidence in ("medium", "high")
       )
     ),
-    (regex.icontains(sender.display_name, 'voice\s?(mail|message|recording|call)')),
+    (regex.icontains(sender.display_name, 'voice\s?(mail|message|recording|call|transcription)')),
     (
       // sender domain matches no body domains
       all(body.links,
@@ -36,6 +34,14 @@ source: |
       // recipient's SLD is in the sender's display name
       any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld))
     ),
+    (
+      // emoji's in subject, display_name or body
+      any([sender.display_name, subject.subject, body.current_thread.text],
+          regex.contains(.,
+                         '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
+          )
+      )
+    ),
   )
   and sender.email.domain.root_domain not in ("magicjack.com", "unitelvoice.com")