From b69fef68ffc209336a21199c8f5bb98d3cd51d27 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 19 Oct 2023 15:58:12 -0400 Subject: [PATCH] New Rule: X (Twitter) Impersonation with Credential Phishing motives (#676) Co-authored-by: ID Generator --- .../impersonation_x_with_credphish_nlu.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 detection-rules/impersonation_x_with_credphish_nlu.yml diff --git a/detection-rules/impersonation_x_with_credphish_nlu.yml b/detection-rules/impersonation_x_with_credphish_nlu.yml new file mode 100644 index 00000000000..19912e3521a --- /dev/null +++ b/detection-rules/impersonation_x_with_credphish_nlu.yml @@ -0,0 +1,37 @@ +name: "X (Twitter) Impersonation with Credential Phishing motives" +description: | + This rule is designed to identify impersonation attempts by analyzing the display name or sender's + local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com. + Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging. +type: "rule" +severity: "medium" +source: | + type.inbound + and (sender.display_name =~ "x" or sender.email.local_part =~ "x") + and sender.email.domain.root_domain not in ("twitter.com", "x.com") + and ( + any(attachments, + .file_type in~ $file_types_images + and any(file.explode(.), + any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "cred_theft" and .confidence != "low" + ) + ) + ) + or any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "cred_theft" and .confidence != "low" + ) + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "File analysis" + - "Header analysis" + - "Optical Character Recognition" + - "Natural Language Understanding" + - "Sender analysis" +id: "0b60dca6-db2d-5718-94d8-fdbfd06bd081"