From aad79fb5f2641930fe6abbaf7750f5e7d3a1c9b8 Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Tue, 21 Nov 2023 01:17:31 +0000 Subject: [PATCH] Sync from PR#999 Create impersonation_dotloop.yml by @aidenmitchell https://github.com/sublime-security/sublime-rules/pull/999 Source SHA 52db535791875ae9779326b7aeb66418bf25b708 Triggered by @morriscode --- detection-rules/impersonation_dotloop.yml | 42 +++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 detection-rules/impersonation_dotloop.yml diff --git a/detection-rules/impersonation_dotloop.yml b/detection-rules/impersonation_dotloop.yml new file mode 100644 index 00000000000..3d9d6ac2ad7 --- /dev/null +++ b/detection-rules/impersonation_dotloop.yml @@ -0,0 +1,42 @@ +name: "Brand impersonation: Dotloop" +description: "Impersonation of Dotloop, a real estate transaction management platform." +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + strings.ilike(sender.display_name, '*dotloop*') + or strings.ilike(sender.email.domain.domain, '*dotloop*') + ) + and sender.email.domain.root_domain not in~ ('dotloop.com', 'showingtime.com') + and ( + profile.by_sender().prevalence in ("new", "outlier") + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" +id: "f997581a-ca08-5b21-8a52-ee0ca78fcea5" +testing_pr: 999 +testing_sha: 52db535791875ae9779326b7aeb66418bf25b708