From 8401fdb0f43c7d2375a8c1d75c2ea712a7e54609 Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Thu, 19 Oct 2023 06:02:10 -0700
Subject: [PATCH] New rule: attachment_fake_zoom_installer.yml (#838)

Co-authored-by: Sam Scholten <sam@sublimesecurity.com>
Co-authored-by: ID Generator <hello@sublimesecurity.com>
---
 .../attachment_fake_zoom_installer.yml        | 62 +++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 detection-rules/attachment_fake_zoom_installer.yml

diff --git a/detection-rules/attachment_fake_zoom_installer.yml b/detection-rules/attachment_fake_zoom_installer.yml
new file mode 100644
index 00000000000..68d883807cb
--- /dev/null
+++ b/detection-rules/attachment_fake_zoom_installer.yml
@@ -0,0 +1,62 @@
+name: "Attachment: Fake Zoom installer"
+description: |
+  HTML attachment contains a Zoom logo, request language, and a link to an executable. Observed in the wild.
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    any(attachments,
+        (
+          .file_extension in~ ("html", "htm", "shtml", "dhtml")
+          or .file_type == "html"
+          or .content_type == "text/html"
+        )
+        and any(file.explode(.),
+                any(ml.logo_detect(file.html_screenshot(..)).brands,
+                    .name == "Zoom" and .confidence in ("medium", "high")
+                )
+                and any(ml.nlu_classifier(file.parse_html(..).display_text).entities,
+                        .name == "request" and .text =~ "download"
+                )
+                and any(.scan.url.urls,
+                        strings.iends_with(.path, ".exe") and .domain.root_domain not in $org_domains
+                )
+        )
+    )
+    or any(attachments,
+           (.file_extension in~ $file_extensions_common_archives)
+           and any(file.explode(.),
+                   (
+                     .file_extension in~ ("html", "htm", "shtml", "dhtml")
+                     or ..file_type == "html"
+                     or ..content_type == "text/html"
+                   )
+                   and any(ml.logo_detect(file.html_screenshot(..)).brands,
+                           .name == "Zoom" and .confidence in ("medium", "high")
+                   )
+                   and any(ml.nlu_classifier(file.parse_html(..).display_text).entities,
+                           .name == "request" and .text =~ "download"
+                   )
+                   and any(.scan.url.urls,
+                           strings.iends_with(.path, ".exe") and .domain.root_domain not in $org_domains
+                   )
+           )
+    )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "HTML smuggling"
+  - "Impersonation: Brand"
+  - "Scripting"
+  - "Social engineering"
+detection_methods:
+  - "Archive analysis"
+  - "Computer Vision"
+  - "File analysis"
+  - "HTML analysis"
+  - "Natural Language Understanding"
+  - "URL analysis"
+id: "840a12a6-a796-5e73-b975-1d1b5f745aea"