From 86ff83d1c3ac3ce10be4224239438436d00e7fdf Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 6 Nov 2023 10:13:03 -0500 Subject: [PATCH] New Rule: Suspicious Lookerstudio link (#909) Co-authored-by: ID Generator --- ...us_lookerstudio_new_unsolicited_sender.yml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml diff --git a/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml new file mode 100644 index 00000000000..ea3493d78ea --- /dev/null +++ b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml @@ -0,0 +1,39 @@ +name: "Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender" +description: "This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender." +type: "rule" +severity: "medium" +source: | + type.inbound + and length(body.current_thread.text) < 800 + and regex.icontains(body.current_thread.text, + '(shared.{0,30}with you|View Document)' + ) + and any(body.links, .href_url.domain.domain == "lookerstudio.google.com") + + and ( + profile.by_sender().prevalence in ("new", "outlier") + and not profile.by_sender().solicited + ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Sender analysis" + - "URL analysis" +id: "dbb50cb4-171f-532b-b820-906be09d03d6"