Sync from PR#999

Create impersonation_dotloop.yml by @aidenmitchell #999 Source SHA 52db535 Triggered by @morriscode
sublime-security · Nov 21, 2023 · aad79fb · aad79fb
1 parent 076aa14
commit aad79fb
Showing 1 changed file with 42 additions and 0 deletions.
diff --git a/detection-rules/impersonation_dotloop.yml b/detection-rules/impersonation_dotloop.yml
@@ -0,0 +1,42 @@
+name: "Brand impersonation: Dotloop"
+description: "Impersonation of Dotloop, a real estate transaction management platform."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    strings.ilike(sender.display_name, '*dotloop*')
+    or strings.ilike(sender.email.domain.domain, '*dotloop*')
+  )
+  and sender.email.domain.root_domain not in~ ('dotloop.com', 'showingtime.com')
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+id: "f997581a-ca08-5b21-8a52-ee0ca78fcea5"
+testing_pr: 999
+testing_sha: 52db535791875ae9779326b7aeb66418bf25b708