Skip to content

Commit

Permalink
Sync from PR#861
Browse files Browse the repository at this point in the history 
New rule: link_freefile_freemail_nlu.yml by @aidenmitchell
#861
Source SHA b66c253
Triggered by @morriscode
  • Loading branch information
Sublime Rule Testing Bot committed Oct 17, 2023
1 parent 77b31ce commit 9962857
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions detection-rules/link_freefile_freemail_nlu.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: "Link: Free file host from freemail sender with NLU intent"
description: "Detects free file host links sent by freemail senders with a short body and NLU indicators."
type: "rule"
severity: "medium"
source: "type.inbound\n\n// short body\nand length(body.plain.raw) < 500\n\n// NLU intent\nand (\n any(ml.nlu_classifier(body.plain.raw).intents, .name != \"benign\")\n and length(ml.nlu_classifier(body.plain.raw).intents) > 0\n)\n\n// free file host link\nand any(body.links, .href_url.domain.domain in~ $free_file_hosts)\n\n// freemail sender\nand sender.email.domain.root_domain in $free_email_providers\n\nand (\n not profile.by_sender().any_false_positives \n and not profile.by_sender().solicited\n)\n"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free email provider"
- "Free file host"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Natural Language Understanding"
- "Sender analysis"
- "URL analysis"
id: "569817fe-96b5-5c1d-96dc-30cd1cb9fd16"
testing_pr: 861
testing_sha: b66c253e300be08704bde4a26ea84b3650c5fcf6

0 comments on commit 9962857

Please sign in to comment.