Create link_multistage_frame_io.yml (#1960)

Co-authored-by: ID Generator <[email protected]> Co-authored-by: Aiden Mitchell <[email protected]>
sublime-security · Nov 5, 2024 · 850a335 · 850a335
1 parent 3c85fe0
commit 850a335
Showing 1 changed file with 172 additions and 0 deletions.
diff --git a/detection-rules/link_multistage_frame_io.yml b/detection-rules/link_multistage_frame_io.yml
@@ -0,0 +1,172 @@
+name: "Link: Multistage Landing - Abused Adobe frame.io"
+description: "The detection rule matches on message groups which make use of Adobe's frame.io as a landing page. The landing page contains links which are newly registered, use free file or subdomain hosts, url shortners or when visited are phishing pages, lead to a captcha or redirect to a well-known domain, seen in evasion tactics."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and sender.email.domain.domain == "frame.io"
+  // these messages contain no email address of the actual sender
+  // so sender profile won't be interesting
+  // however the subject and sender display names do contain the name of the frame.io account
+  // which sent the share
+  
+  // negate where internal employees might have sent the message
+  and not any($org_display_names, strings.istarts_with(subject.subject, .))
+  
+  // the subject contains the name of the file that has been shared
+  // the body does not contain the name shared depending on how it's shared, 
+  // let us use the suspicious file shares from sharepoint here
+  // https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/link_sharepoint_sus_name.yml
+  and (
+    (
+      // file sharing service references
+      strings.icontains(subject.subject, 'dropbox')
+      or strings.icontains(subject.subject, 'docusign')
+  
+      // file name lures
+      // secure theme
+      or regex.icontains(subject.subject, 'secured?.*(?:file|document|docs|fax)')
+      or regex.icontains(subject.subject, 'important.*(?:file|document|docs|fax)')
+      or regex.icontains(subject.subject, 'shared?.*(?:file|document|docs|fax)')
+      or regex.icontains(subject.subject, 'protected.*(?:file|document|docs|fax)')
+      or regex.icontains(subject.subject, 'encrypted.*(?:file|document|docs|fax)')
+  
+      // scanner theme
+      or strings.icontains(subject.subject, 'scanne[rd]_')
+      // image themed
+      or strings.icontains(subject.subject, '_IMG_')
+      or regex.icontains(subject.subject, '^IMG[_-](?:\d|\W)+$')
+  
+      // digits
+      or regex.icontains(subject.subject, 'doc(?:ument)?\s?\d+$')
+      or regex.icontains(subject.subject, '^\d+$')
+  
+      // onedrive theme
+      or strings.icontains(subject.subject, 'one_docx')
+      or strings.icontains(subject.subject, 'OneDrive')
+      or regex.icontains(subject.subject, 'A document.*One.?Drive')
+  
+      // action in file name
+      or strings.icontains(subject.subject, 'click here')
+      or strings.icontains(subject.subject, 'Download PDF')
+      or strings.icontains(subject.subject, 'Validate')
+  
+      // limited file name to "confidential"
+      or subject.subject =~ 'Confidentiality'
+      or subject.subject =~ 'Confidential'
+  
+      // invoice themes
+      or any(ml.nlu_classifier(subject.subject).entities, .name == "financial")
+      or strings.icontains(subject.subject, 'payment')
+      or strings.icontains(subject.subject, 'invoice')
+      or regex.icontains(subject.subject, 'INV(?:_|\s)?\d+$')
+      // starts with INV_ or INV\x20
+      or regex.icontains(subject.subject, '^INV(?:_|\s)')
+      or regex.icontains(subject.subject, 'P[O0]\W+?\d+$')
+      or strings.icontains(subject.subject, 'receipt')
+      or strings.icontains(subject.subject, 'billing')
+      or (
+        strings.icontains(subject.subject, 'statement')
+        and not subject.subject =~ "Privacy Statement"
+      )
+      or strings.icontains(subject.subject, 'Past Due')
+      or regex.icontains(subject.subject, 'Remit(tance)?')
+      or strings.icontains(subject.subject, 'Purchase Order')
+  
+      // contract language
+      or strings.icontains(subject.subject, 'settlement')
+      or strings.icontains(subject.subject, 'contract agreement')
+      or regex.icontains(subject.subject, 'Pr[0o]p[0o]sal')
+      or strings.icontains(subject.subject, 'contract doc')
+    )
+    or any(filter(body.links,
+                  .href_url.domain.root_domain == "frame.io"
+                  and (
+                    strings.starts_with(.href_url.path, '/reviews/')
+                    or strings.starts_with(.href_url.path, '/presentations/')
+                  )
+           ),
+           // when visiting the page on frame.io, the links contain
+           // indications of being suspicious
+           any(filter(ml.link_analysis(.).final_dom.links,
+                      // remove links that are within frame.io or their default page
+                      .href_url.domain.root_domain not in (
+                        'frame.io',
+                        'f.io',
+                        'onetrust.com'
+                      )
+               ),
+               (
+                 // any of those links domains are new
+                 network.whois(.href_url.domain).days_old < 30
+  
+                 // go to free file hosts
+                 or .href_url.domain.root_domain in $free_file_hosts
+                 or .href_url.domain.domain in $free_file_hosts
+  
+                 // go to free subdomains hosts
+                 or (
+                   .href_url.domain.root_domain in $free_subdomain_hosts
+                   // where there is a subdomain
+                   and .href_url.domain.subdomain is not null
+                   and .href_url.domain.subdomain != "www"
+                 )
+                 // go to url shortners
+                 or .href_url.domain.root_domain in $url_shorteners
+                 or .href_url.domain.domain in $url_shorteners
+                 or (
+                   // find any links that mention common "action" words
+                   regex.icontains(subject.subject,
+                                   '(?:view|click|show|access|download|goto|Validate|Va[il]idar|login|verify|account)'
+                   )
+                   and (
+                     // and when visiting those links, are phishing
+                     ml.link_analysis(., mode="aggressive").credphish.disposition == "phishing"
+  
+                     // hit a captcha page
+                     or ml.link_analysis(., mode="aggressive").credphish.contains_captcha
+  
+                     // or the page redirects to common website, observed when evasion happens
+                     or (
+                       length(ml.link_analysis(., mode="aggressive").redirect_history
+                       ) > 0
+                       and ml.link_analysis(., mode="aggressive").effective_url.domain.root_domain in $tranco_10k
+                     )
+                   )
+                 )
+               )
+           )
+  
+           // or search for QR codes in the screenshot of the frame.io page
+           or any(file.explode(ml.link_analysis(.).screenshot),
+                  .depth == 0
+                  and (
+                    (
+                      .scan.qr.type == "url"
+                      and .scan.qr.url.domain.root_domain not in (
+                        'frame.io',
+                        'f.io',
+                        'onetrust.com'
+                      )
+                    )
+                    // some samples have a pdf uploaded that contains a Sharepoint File Share lure.
+                    // we can use ocr to detect this
+                    or strings.icontains(.scan.ocr.raw,
+                                         'This email contains a secure link to sharepoint'
+                    )
+                  )
+           )
+    )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Free file host"
+detection_methods:
+  - "Content analysis"
+  - "Whois"
+  - "Computer Vision"
+  - "URL analysis"
+  - "HTML analysis"
+id: "a6c457c5-b171-52c7-9a44-fee65fb89aef"