From 8509996cde0282522efd4cd1a1b84a738d12b06f Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Tue, 14 Nov 2023 19:48:57 +0000
Subject: [PATCH] Sync from PR#957

New Rule: Invoice Fraud from 30d domains by @morriscode
https://github.com/sublime-security/sublime-rules/pull/957
Source SHA d0fe20e2712172f40cb260f7feb42e6cbbdb911f
Triggered by @morriscode
---
 .../bec_invoice_fraud_30d_domains.yml           | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 detection-rules/bec_invoice_fraud_30d_domains.yml

diff --git a/detection-rules/bec_invoice_fraud_30d_domains.yml b/detection-rules/bec_invoice_fraud_30d_domains.yml
new file mode 100644
index 00000000000..f1664fb2aa5
--- /dev/null
+++ b/detection-rules/bec_invoice_fraud_30d_domains.yml
@@ -0,0 +1,17 @@
+name: "BEC/Fraud - Invoice from sender, reply-to or return-path domain less than 30d old"
+description: "This rule checks for invoicing content from a sender, reply-to domain or return-path domain less than 30d old. It also checks the body or the OCR'd screenshot for key words commonly abused in fraudulent invoicing attacks. "
+type: "rule"
+severity: "medium"
+source: "type.inbound\n\n// reply to domain that's less than 30d old and doesn't match the sender\nand (\n  (\n    length(headers.reply_to) > 0\n    and all(headers.reply_to,\n            beta.whois(.email.domain).days_old <= 30\n            and .email.email != sender.email.email\n    )\n  )\n\n  // or the return path or sender domain is less than 30d old \n  or beta.whois(headers.return_path.domain).days_old <= 30\n  or beta.whois(sender.email.domain).days_old <=30\n)\n\n// invoicing with high confidence\nand any(ml.nlu_classifier(body.current_thread.text).tags,\n        .name == \"invoice\" and .confidence == \"high\"\n)\n\n// commonly abused brands in body\nand (\n  strings.ilike(body.current_thread.text,\n                \"*mcafee*\",\n                \"*norton*\",\n                \"*geek squad*\",\n                \"*paypal*\",\n                \"*ebay*\",\n                \"*symantec*\",\n                \"*best buy*\",\n                \"*lifelock*\",\n                \"*virus*\"\n  )\n\n  // commonly abused brand logo\n  or any(ml.logo_detect(beta.message_screenshot()).brands,\n         .name in (\"PayPal\", \"Norton\", \"GeekSquad\", \"Ebay\")\n  )\n\n  // check message screenshot ocr for commonly abused brands\n  or any(file.explode(beta.message_screenshot()),\n         1 of (\n           strings.icontains(.scan.ocr.raw, \"geek squad\"),\n           strings.icontains(.scan.ocr.raw, \"lifelock\"),\n           strings.icontains(.scan.ocr.raw, \"best buy\"),\n           strings.icontains(.scan.ocr.raw, \"mcafee\"),\n           strings.icontains(.scan.ocr.raw, \"norton\"),\n           strings.icontains(.scan.ocr.raw, \"ebay\"),\n           strings.icontains(.scan.ocr.raw, \"paypal\"),\n           strings.icontains(.scan.ocr.raw, \"virus\"),\n         )\n  )\n)\n"
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+detection_methods:
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+  - "Whois"
+id: "e6f4af53-dbb6-5917-acee-bfd7d8042c03"
+testing_pr: 957
+testing_sha: d0fe20e2712172f40cb260f7feb42e6cbbdb911f