-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New Rule: Invoice Fraud from 30d domains by @morriscode #957 Source SHA d0fe20e Triggered by @morriscode
- Loading branch information
Sublime Rule Testing Bot
committed
Nov 14, 2023
1 parent
6746b44
commit 8509996
Showing
1 changed file
with
17 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| name: "BEC/Fraud - Invoice from sender, reply-to or return-path domain less than 30d old" | ||
| description: "This rule checks for invoicing content from a sender, reply-to domain or return-path domain less than 30d old. It also checks the body or the OCR'd screenshot for key words commonly abused in fraudulent invoicing attacks. " | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: "type.inbound\n\n// reply to domain that's less than 30d old and doesn't match the sender\nand (\n (\n length(headers.reply_to) > 0\n and all(headers.reply_to,\n beta.whois(.email.domain).days_old <= 30\n and .email.email != sender.email.email\n )\n )\n\n // or the return path or sender domain is less than 30d old \n or beta.whois(headers.return_path.domain).days_old <= 30\n or beta.whois(sender.email.domain).days_old <=30\n)\n\n// invoicing with high confidence\nand any(ml.nlu_classifier(body.current_thread.text).tags,\n .name == \"invoice\" and .confidence == \"high\"\n)\n\n// commonly abused brands in body\nand (\n strings.ilike(body.current_thread.text,\n \"*mcafee*\",\n \"*norton*\",\n \"*geek squad*\",\n \"*paypal*\",\n \"*ebay*\",\n \"*symantec*\",\n \"*best buy*\",\n \"*lifelock*\",\n \"*virus*\"\n )\n\n // commonly abused brand logo\n or any(ml.logo_detect(beta.message_screenshot()).brands,\n .name in (\"PayPal\", \"Norton\", \"GeekSquad\", \"Ebay\")\n )\n\n // check message screenshot ocr for commonly abused brands\n or any(file.explode(beta.message_screenshot()),\n 1 of (\n strings.icontains(.scan.ocr.raw, \"geek squad\"),\n strings.icontains(.scan.ocr.raw, \"lifelock\"),\n strings.icontains(.scan.ocr.raw, \"best buy\"),\n strings.icontains(.scan.ocr.raw, \"mcafee\"),\n strings.icontains(.scan.ocr.raw, \"norton\"),\n strings.icontains(.scan.ocr.raw, \"ebay\"),\n strings.icontains(.scan.ocr.raw, \"paypal\"),\n strings.icontains(.scan.ocr.raw, \"virus\"),\n )\n )\n)\n" | ||
| attack_types: | ||
| - "BEC/Fraud" | ||
| tactics_and_techniques: | ||
| - "Impersonation: Brand" | ||
| detection_methods: | ||
| - "Header analysis" | ||
| - "Natural Language Understanding" | ||
| - "Optical Character Recognition" | ||
| - "Whois" | ||
| id: "e6f4af53-dbb6-5917-acee-bfd7d8042c03" | ||
| testing_pr: 957 | ||
| testing_sha: d0fe20e2712172f40cb260f7feb42e6cbbdb911f |