Skip to content

Commit

Permalink
Sync from PR#2177
Browse files Browse the repository at this point in the history
Create link_sharepoint_attached_eml.yml by @zoomequipd
#2177
Source SHA 9fa98f4
Triggered by @zoomequipd
  • Loading branch information
Sublime Rule Testing Bot committed Dec 11, 2024
1 parent d318a23 commit a3bc442
Showing 1 changed file with 34 additions and 11 deletions.
45 changes: 34 additions & 11 deletions detection-rules/link_sharepoint_attached_eml.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,18 @@ source: |
and all(map(file.parse_eml(.).recipients.cc, .email.email),
. in map(recipients.cc, .email.email)
)
// make sure the are the same length
and sum([
length(recipients.to),
length(recipients.bcc),
length(recipients.cc)
]
) == sum([
length(file.parse_eml(.).recipients.to),
length(file.parse_eml(.).recipients.bcc),
length(file.parse_eml(.).recipients.cc)
]
)
)
or length(recipients.to) == 0
or all(recipients.to, .email.email == "")
Expand All @@ -43,11 +55,11 @@ source: |
// without any other recipients and matches the outer message sender
(
sum(
[
length(filter(file.parse_eml(.).recipients.to, .email.email != "")),
length(filter(file.parse_eml(.).recipients.bcc, .email.email != "")),
length(filter(file.parse_eml(.).recipients.cc, .email.email != ""))
]
[
length(filter(file.parse_eml(.).recipients.to, .email.email != "")),
length(filter(file.parse_eml(.).recipients.bcc, .email.email != "")),
length(filter(file.parse_eml(.).recipients.cc, .email.email != ""))
]
) == 1
and (
all(file.parse_eml(.).recipients.to,
Expand All @@ -60,18 +72,29 @@ source: |
// the outer recipieint is the sender of the inner message
(
sum(
[
length(filter(file.parse_eml(.).recipients.to, .email.email != "")),
length(filter(file.parse_eml(.).recipients.bcc, .email.email != "")),
length(filter(file.parse_eml(.).recipients.cc, .email.email != ""))
]
[
length(filter(file.parse_eml(.).recipients.to, .email.email != "")),
length(filter(file.parse_eml(.).recipients.bcc, .email.email != "")),
length(filter(file.parse_eml(.).recipients.cc, .email.email != ""))
]
) == 1
and all(recipients.to,
.email.email == file.parse_eml(..).sender.email.email
)
)
)
)
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
and not regex.icontains(subject.subject, "^(undeliverable|read:)")
and not any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand All @@ -83,4 +106,4 @@ detection_methods:
- "Header analysis"
id: "eab46d4b-39c9-568a-bb72-bf93f4cf997e"
testing_pr: 2177
testing_sha: 9a85dc28e5032f8d895ac762b4cd6ec5dd3eb16f
testing_sha: 9fa98f4cecb92d6d44346987526a8da42700b143

0 comments on commit a3bc442

Please sign in to comment.