-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Updating Rule: attachment_docusign_image_suspicious_links.yml by @aidenmitchell #761 Source SHA 6513d69 Triggered by @morriscode
- Loading branch information
Sublime Rule Testing Bot
committed
Sep 8, 2023
1 parent
190ba36
commit 859f240
Showing
1 changed file
with
64 additions
and
0 deletions.
There are no files selected for viewing
64 changes: 64 additions & 0 deletions
64
detection-rules/attachment_docusign_image_suspicious_links.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| name: "Attachment: DocuSign image lure with no DocuSign domains in links" | ||
| description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo attached, from a first-time sender." | ||
| type: "rule" | ||
| severity: "high" | ||
| source: | | ||
| type.inbound | ||
| and length(filter(attachments, .file_type not in $file_types_images)) == 0 | ||
| and any(body.links, not strings.ilike(.href_url.domain.root_domain, "docusign.*")) | ||
| and any(attachments, | ||
| ( | ||
| any(ml.logo_detect(.).brands, .name == "DocuSign" and .confidence in ("medium", "high")) | ||
| or any(file.explode(.), | ||
| strings.ilike(.scan.ocr.raw, "*DocuSign*") | ||
| and any(ml.nlu_classifier(.scan.ocr.raw).intents, | ||
| .name == "cred_theft" and .confidence != "low" | ||
| ) | ||
| ) | ||
| ) | ||
| and any(file.explode(.), | ||
| regex.icontains(.scan.ocr.raw, | ||
| "review document", | ||
| "[^d][^o][^c][^u]sign", | ||
| "important edocs", | ||
| "completed document" | ||
| ) | ||
| ) | ||
| ) | ||
| and ( | ||
| ( | ||
| ( | ||
| sender.email.domain.root_domain in $free_email_providers | ||
| and sender.email.email not in $sender_emails | ||
| ) | ||
| or ( | ||
| sender.email.domain.root_domain not in $free_email_providers | ||
| and sender.email.domain.domain not in $sender_domains | ||
| ) | ||
| ) | ||
| or ( | ||
| sender.email.email in $sender_emails | ||
| and any(distinct(headers.hops, .received_spf.verdict is not null), | ||
| regex.icontains(.received_spf.verdict, "fail|error") | ||
| or any(distinct(headers.hops, .authentication_results.dmarc is not null), | ||
| strings.ilike(.authentication_results.dmarc, "*fail") | ||
| ) | ||
| ) | ||
| ) | ||
| ) | ||
| attack_types: | ||
| - "Credential Phishing" | ||
| tactics_and_techniques: | ||
| - "Impersonation: Brand" | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Computer Vision" | ||
| - "Content analysis" | ||
| - "Header analysis" | ||
| - "Natural Language Understanding" | ||
| - "Optical Character Recognition" | ||
| - "Sender analysis" | ||
| - "URL screenshot" | ||
| id: "814a5694-d626-5bf4-a1ba-a1dbcb625279" | ||
| testing_pr: 761 | ||
| testing_sha: 6513d69b03e871af705d1e93d672104ee05f1023 |