From a3bc44236c1726facfaeb4ed9643a4f3441842ff Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Wed, 11 Dec 2024 06:39:24 +0000 Subject: [PATCH] Sync from PR#2177 Create link_sharepoint_attached_eml.yml by @zoomequipd https://github.com/sublime-security/sublime-rules/pull/2177 Source SHA 9fa98f4cecb92d6d44346987526a8da42700b143 Triggered by @zoomequipd --- .../link_sharepoint_attached_eml.yml | 45 ++++++++++++++----- 1 file changed, 34 insertions(+), 11 deletions(-) diff --git a/detection-rules/link_sharepoint_attached_eml.yml b/detection-rules/link_sharepoint_attached_eml.yml index 84ed742d23e..5f3bba430bd 100644 --- a/detection-rules/link_sharepoint_attached_eml.yml +++ b/detection-rules/link_sharepoint_attached_eml.yml @@ -29,6 +29,18 @@ source: | and all(map(file.parse_eml(.).recipients.cc, .email.email), . in map(recipients.cc, .email.email) ) + // make sure the are the same length + and sum([ + length(recipients.to), + length(recipients.bcc), + length(recipients.cc) + ] + ) == sum([ + length(file.parse_eml(.).recipients.to), + length(file.parse_eml(.).recipients.bcc), + length(file.parse_eml(.).recipients.cc) + ] + ) ) or length(recipients.to) == 0 or all(recipients.to, .email.email == "") @@ -43,11 +55,11 @@ source: | // without any other recipients and matches the outer message sender ( sum( - [ - length(filter(file.parse_eml(.).recipients.to, .email.email != "")), - length(filter(file.parse_eml(.).recipients.bcc, .email.email != "")), - length(filter(file.parse_eml(.).recipients.cc, .email.email != "")) - ] + [ + length(filter(file.parse_eml(.).recipients.to, .email.email != "")), + length(filter(file.parse_eml(.).recipients.bcc, .email.email != "")), + length(filter(file.parse_eml(.).recipients.cc, .email.email != "")) + ] ) == 1 and ( all(file.parse_eml(.).recipients.to, @@ -60,11 +72,11 @@ source: | // the outer recipieint is the sender of the inner message ( sum( - [ - length(filter(file.parse_eml(.).recipients.to, .email.email != "")), - length(filter(file.parse_eml(.).recipients.bcc, .email.email != "")), - length(filter(file.parse_eml(.).recipients.cc, .email.email != "")) - ] + [ + length(filter(file.parse_eml(.).recipients.to, .email.email != "")), + length(filter(file.parse_eml(.).recipients.bcc, .email.email != "")), + length(filter(file.parse_eml(.).recipients.cc, .email.email != "")) + ] ) == 1 and all(recipients.to, .email.email == file.parse_eml(..).sender.email.email @@ -72,6 +84,17 @@ source: | ) ) ) + + // exclude bounce backs & read receipts + and not strings.like(sender.email.local_part, + "*postmaster*", + "*mailer-daemon*", + "*administrator*" + ) + and not regex.icontains(subject.subject, "^(undeliverable|read:)") + and not any(attachments, .content_type == "message/delivery-status") + // if the "References" is in the body of the message, it's probably a bounce + and not any(headers.references, strings.contains(body.html.display_text, .)) attack_types: - "Credential Phishing" tactics_and_techniques: @@ -83,4 +106,4 @@ detection_methods: - "Header analysis" id: "eab46d4b-39c9-568a-bb72-bf93f4cf997e" testing_pr: 2177 -testing_sha: 9a85dc28e5032f8d895ac762b4cd6ec5dd3eb16f +testing_sha: 9fa98f4cecb92d6d44346987526a8da42700b143