diff --git a/.github/workflows/clear-old-test-rules.yml b/.github/workflows/clear-old-test-rules.yml
index c5f6d3429a2..f0cefca1ccb 100644
--- a/.github/workflows/clear-old-test-rules.yml
+++ b/.github/workflows/clear-old-test-rules.yml
@@ -63,7 +63,7 @@ jobs:
if [[ "$in_open_pr" = "false" ]]; then
rm $file
- echo "Removed $pr_num" >> ../message.txt
+ echo "Removed $file_pr_num" >> ../message.txt
fi
done
diff --git a/.github/workflows/rule-validate.yml b/.github/workflows/rule-validate.yml
index c34ed7ce5ea..78efe60f6dc 100644
--- a/.github/workflows/rule-validate.yml
+++ b/.github/workflows/rule-validate.yml
@@ -8,13 +8,18 @@ on:
workflow_dispatch: {}
concurrency:
- group: ${{ github.head_ref }}
+ # For pull_request_target workflows we want to use head_ref -- the branch triggering the workflow. Otherwise,
+ # use ref, which is the branch for a push event.
+ group: ${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }}
cancel-in-progress: true
jobs:
tests:
name: Run Rule Validation
runs-on: ubuntu-20.04
+ permissions:
+ contents: write
+ checks: write
steps:
- name: Set up yq
@@ -26,6 +31,16 @@ jobs:
ref: ${{ github.head_ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
+ - uses: actions/setup-python@v4
+ with:
+ python-version: '3.10'
+
+ - name: Add Rule IDs as Needed & Check for Duplicates
+ # Run before testing, just in case this could invalidate the rule itself
+ run: |
+ pip install -r scripts/generate-rule-ids/requirements.txt
+ python scripts/generate-rule-ids/main.py
+
- name: Validate Rules
run: |
for f in *-rules/*.yml
@@ -58,32 +73,10 @@ jobs:
run: |
! /bin/sh -c 'ls **/*.yaml'
- rule-ids:
- name: Add Rule IDs & Validate Uniqueness
- runs-on: ubuntu-20.04
-
- permissions:
- contents: write
-
- steps:
- - name: Checkout
- uses: actions/checkout@v3
- with:
- ref: ${{ github.head_ref }}
- repository: ${{ github.event.pull_request.head.repo.full_name }}
- fetch-depth: 0
-
- - uses: actions/setup-python@v4
- with:
- python-version: '3.10'
-
- - name: Add Rule IDs as Needed & Check for Duplicates
- run: |
- pip install -r scripts/generate-rule-ids/requirements.txt
- python scripts/generate-rule-ids/main.py
-
- name: Commit & Push Results, if needed
run: |
+ rm response.txt
+
if [ -z "$(git status --porcelain)" ]; then
echo "No files changed, nothing to do"
exit 0
@@ -91,49 +84,30 @@ jobs:
git config user.name 'ID Generator'
git config user.email 'hello@sublimesecurity.com'
- git add -A
+ git add **/*.yml
git commit -m "Auto add rule ID"
git push origin ${{ github.head_ref }}
- - name: Get the head ref (eg branch)
- id: get_head
- run: git rev-parse HEAD > sha.txt
-
- - name: Upload SHA for later job
- uses: actions/upload-artifact@v3
- with:
- name: sha
- path: sha.txt
-
- # When the rule-ids job adds a commit, GitHub won't trigger actions on the auto commit. Various alternatives
- # were explored, but all run into issues when dealing with forks (well we'll see if this does too).
- set-checks:
- name: Set GH Checks Status
- runs-on: ubuntu-20.04
- # Both must complete successfully. We assume that rule-ids does not break our rule validation (if we're not confident
- # we can change the ordering.
- needs: [rule-ids, tests]
-
- permissions:
- checks: write
-
- steps:
-
- - name: Download SHA from Previous Job
- uses: actions/download-artifact@v3
- with:
- name: sha
-
- - name: Get the head ref (eg branch)
+ - name: Get the head SHA
id: get_head
- run: echo "##[set-output name=HEAD;]$(cat sha.txt)"
+ run: echo "##[set-output name=HEAD;]$(git rev-parse HEAD)"
+ # When we add a commit, GitHub won't trigger actions on the auto commit, so we're missing a required check on the
+ # HEAD commit.
+ # Various alternatives were explored, but all run into issues when dealing with forks. This sets a "Check" for
+ # the latest commit, and we can depend on that as a required check.
- name: "Create a check run"
uses: actions/github-script@v6
+ if: github.event_name == 'pull_request_target'
env:
parameter_url: '${{ github.event.pull_request.html_url }}'
with:
debug: ${{ secrets.ACTIONS_STEP_DEBUG || false }}
+ retries: 3
+ # Default includes 422 which GitHub returns when it doesn't know about the head_sha we set the status for.
+ # This occurs when the previous push succeeds, but the checks/pull request component of GitHub isn't yet aware
+ # of the new commit. This isn't the common case, but it comes up enough to be annoying.
+ retry-exempt-status-codes: 400, 401, 403, 404
script: |
// any JavaScript code can go here, you can use Node JS APIs too.
// Docs: https://docs.github.com/en/rest/checks/runs#create-a-check-run
@@ -147,8 +121,8 @@ jobs:
conclusion: "success",
details_url: process.env.parameter_url,
output: {
- title: "Rule Tests and ID Generation",
- summary: "Rule Tests and ID Generation",
- text: "Rule Tests and ID Generation",
+ title: "Rule Tests and ID Updated",
+ summary: "Rule Tests and ID Updated",
+ text: "Rule Tests and ID Updated",
},
});
diff --git a/.github/workflows/update-test-rules.yml b/.github/workflows/update-test-rules.yml
index efd52c86991..89c681c27e0 100644
--- a/.github/workflows/update-test-rules.yml
+++ b/.github/workflows/update-test-rules.yml
@@ -51,7 +51,7 @@ jobs:
uses: lewagon/wait-on-check-action@v1.3.1
with:
ref: ${{ steps.comment-branch.outputs.head_sha }}
- check-name: 'Run Rule Validation'
+ check-name: 'Rule Tests and ID Updated'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 10
diff --git a/detection-rules/attachment_adobe_image_lure_fts.yml b/detection-rules/attachment_adobe_image_lure_fts.yml
index 3691e0bdf96..1d84a92ff8c 100644
--- a/detection-rules/attachment_adobe_image_lure_fts.yml
+++ b/detection-rules/attachment_adobe_image_lure_fts.yml
@@ -1,6 +1,5 @@
name: "Attachment: Adobe image lure with suspicious link from first time sender"
-description: "Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language
- from a first-time sender."
+description: "Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language from a first-time sender."
type: "rule"
severity: "medium"
source: |
@@ -25,8 +24,15 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Suspicious link"
- - "Brand impersonation"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Image as content"
+ - "Impersonation: Brand"
+detection_methods:
+ - "Content analysis"
- "Computer Vision"
+ - "Optical Character Recognition"
+ - "Sender analysis"
+ - "URL analysis"
id: "1d7add81-9822-576a-bcae-c4440e75e393"
diff --git a/detection-rules/attachment_any_html_in_archive_unsolicited.yml b/detection-rules/attachment_any_html_in_archive_unsolicited.yml
index 682806f5dc5..95bd7734acc 100644
--- a/detection-rules/attachment_any_html_in_archive_unsolicited.yml
+++ b/detection-rules/attachment_any_html_in_archive_unsolicited.yml
@@ -25,6 +25,14 @@ source: |
)
)
tags:
- - "Suspicious attachment"
- "Attack surface reduction"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "HTML smuggling"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
id: "6a67c02c-d405-531e-850a-1722849c5fe4"
diff --git a/detection-rules/attachment_any_html_new_sender.yml b/detection-rules/attachment_any_html_new_sender.yml
index 3a0dd481a41..17aedb1ff72 100644
--- a/detection-rules/attachment_any_html_new_sender.yml
+++ b/detection-rules/attachment_any_html_new_sender.yml
@@ -27,7 +27,10 @@ source: |
)
)
tags:
- - "Suspicious attachment"
- "Attack surface reduction"
+tactics_and_techniques:
- "HTML smuggling"
+detection_methods:
+ - "HTML analysis"
+ - "Sender analysis"
id: "57a8f5c5-c4c4-5268-b452-e381dc64ea42"
diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml
index fe0b39cbd13..80527bfd3c1 100644
--- a/detection-rules/attachment_any_html_unsolicited.yml
+++ b/detection-rules/attachment_any_html_unsolicited.yml
@@ -27,7 +27,11 @@ source: |
)
)
tags:
- - "Suspicious attachment"
- "Attack surface reduction"
+tactics_and_techniques:
- "HTML smuggling"
+detection_methods:
+ - "File analysis"
+ - "HTML analysis"
+ - "Sender analysis"
id: "ef36763f-917d-5338-b1ac-84047334dce8"
diff --git a/detection-rules/attachment_archive_with_chm.yml b/detection-rules/attachment_archive_with_chm.yml
index df9c8df125c..926e3f7e0be 100644
--- a/detection-rules/attachment_archive_with_chm.yml
+++ b/detection-rules/attachment_archive_with_chm.yml
@@ -14,7 +14,11 @@ source: |
and any(attachments, .file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .file_extension =~ "chm")
)
-tags:
- - "Suspicious attachment"
- - "Malware"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
id: "5280e94d-592b-5d80-b548-b0e2ad4c9eae"
diff --git a/detection-rules/attachment_archive_with_exe.yml b/detection-rules/attachment_archive_with_exe.yml
index 8ca7adbc3a9..24101b3a289 100644
--- a/detection-rules/attachment_archive_with_exe.yml
+++ b/detection-rules/attachment_archive_with_exe.yml
@@ -19,7 +19,12 @@ source: |
any(.flavors.yara, . == "mz_file")
)
)
-tags:
- - "Suspicious attachment"
- - "Malware"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "YARA"
id: "e2b0ad86-1264-567e-b7c4-78d7ddbe7722"
diff --git a/detection-rules/attachment_archive_with_pdf_wsf_txt_attached.qakbot.yml b/detection-rules/attachment_archive_with_pdf_wsf_txt_attached.qakbot.yml
index ace4dcc07e5..f3cc147ff46 100644
--- a/detection-rules/attachment_archive_with_pdf_wsf_txt_attached.qakbot.yml
+++ b/detection-rules/attachment_archive_with_pdf_wsf_txt_attached.qakbot.yml
@@ -15,6 +15,13 @@ source: |
and any(file.explode(.), .depth == 1 and .file_extension == "wsf")
)
tags:
- - "QakBot"
- - "Suspicious attachment"
+ - "Malfam: QakBot"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "PDF"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
id: "16b2e239-a7d1-51ef-aac1-562b3cc59787"
diff --git a/detection-rules/attachment_callback_phish_with_img.yml b/detection-rules/attachment_callback_phish_with_img.yml
index 11ad1403e23..29ad847fe58 100644
--- a/detection-rules/attachment_callback_phish_with_img.yml
+++ b/detection-rules/attachment_callback_phish_with_img.yml
@@ -19,7 +19,7 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-
+
and sender.email.domain.root_domain in $free_email_providers
and any(attachments, .file_extension in~ ('png', 'jpg', 'jpeg')
and any(file.explode(.),
@@ -39,7 +39,7 @@ source: |
"*refund*",
"*+1*"
))) >= 4)
-
+
and any(file.explode(.),
length(filter(.scan.strings.strings, strings.ilike(.,
"*geek squad*",
@@ -52,7 +52,18 @@ source: |
"*secure anywhere*"
))) >=1)
)
-tags:
+attack_types:
- "Callback Phishing"
- - "Customer service fraud"
+tactics_and_techniques:
+ - "Evasion"
+ - "Free email provider"
+ - "Out of band pivot"
+ - "Social engineering"
+ - "Image as content"
+detection_methods:
+ - "Content analysis"
+ - "Optical Character Recognition"
+ - "Sender analysis"
+ - "URL analysis"
+ - "Computer Vision"
id: "60acbb36-8ed1-562e-8027-260c2fdf0f04"
diff --git a/detection-rules/attachment_callback_phish_with_pdf.yml b/detection-rules/attachment_callback_phish_with_pdf.yml
index 580f9c80641..c951fafcf30 100644
--- a/detection-rules/attachment_callback_phish_with_pdf.yml
+++ b/detection-rules/attachment_callback_phish_with_pdf.yml
@@ -23,7 +23,7 @@ source: |
// sender is freemail
and sender.email.domain.root_domain in $free_email_providers
-
+
// the attachment is a pdf with 1 page, and at least 60 ocr chars
and any(attachments, .file_extension == "pdf"
and any(file.explode(.),
@@ -47,7 +47,7 @@ source: |
"*refund*",
"*+1*"
))) >= 4)
-
+
// 1 of the following strings is found, representing common Callback brands
and any(file.explode(.),
length(filter(.scan.strings.strings, strings.ilike(.,
@@ -60,7 +60,17 @@ source: |
"*paypal*",
))) >=1)
)
-tags:
+attack_types:
- "Callback Phishing"
- - "Customer service fraud"
+tactics_and_techniques:
+ - "Evasion"
+ - "Free email provider"
+ - "Out of band pivot"
+ - "PDF"
+ - "Social engineering"
+detection_methods:
+ - "Exif analysis"
+ - "File analysis"
+ - "Optical Character Recognition"
+ - "Sender analysis"
id: "ac33f097-af20-554c-b29a-56f21be1b285"
diff --git a/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml b/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml
index 3806b56d0aa..4158d855436 100644
--- a/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml
+++ b/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml
@@ -21,7 +21,11 @@ source: |
and length(filter(.scan.strings.strings, strings.ilike(.,'{\f*;}'))) > 10000
)
)
-tags:
- - "Office exploit"
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Exploit"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
id: "23714cca-f0c6-5fa5-a68b-98c9d60a508d"
diff --git a/detection-rules/attachment_disallowed_file_type_in_archive.yml b/detection-rules/attachment_disallowed_file_type_in_archive.yml
index ec4161c0f79..fdfb6213a46 100644
--- a/detection-rules/attachment_disallowed_file_type_in_archive.yml
+++ b/detection-rules/attachment_disallowed_file_type_in_archive.yml
@@ -194,6 +194,12 @@ source: |
)
)
tags:
- - "Suspicious attachment"
- "Attack surface reduction"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
id: "3859e3e7-51c9-5259-9b7d-f8c0957696c0"
diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml
index 057ce4705bd..76e6ca214fc 100644
--- a/detection-rules/attachment_docusign_image_suspicious_links.yml
+++ b/detection-rules/attachment_docusign_image_suspicious_links.yml
@@ -28,8 +28,17 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Suspicious link"
- - "Brand impersonation"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
- "Computer Vision"
+ - "Content analysis"
+ - "Header analysis"
+ - "Natural Language Understanding"
+ - "Optical Character Recognition"
+ - "Sender analysis"
+ - "URL screenshot"
id: "814a5694-d626-5bf4-a1ba-a1dbcb625279"
diff --git a/detection-rules/attachment_dropbox_image_suspicious_links.yml b/detection-rules/attachment_dropbox_image_suspicious_links.yml
index 5de6896143a..77bed727988 100644
--- a/detection-rules/attachment_dropbox_image_suspicious_links.yml
+++ b/detection-rules/attachment_dropbox_image_suspicious_links.yml
@@ -6,7 +6,7 @@ source: |
type.inbound
and length(filter(attachments, .file_type not in~ ('png', 'jpeg', 'jpg', 'bmp'))) == 0
and any(body.links, not strings.ilike(.href_url.domain.root_domain, "dropbox.*"))
-
+
and any(attachments, .file_type in~ ('png','jpg','jpeg','bmp')
and any(file.explode(.),
any(.scan.strings.strings, strings.ilike(., "*dropbox*"))
@@ -24,7 +24,15 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Suspicious link"
- - "Brand impersonation"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
+ - "Header analysis"
+ - "Optical Character Recognition"
+ - "Sender analysis"
id: "500eee2d-d793-5450-a87f-825ce27c897d"
diff --git a/detection-rules/attachment_eicar.yml b/detection-rules/attachment_eicar.yml
index a8e90fbb65c..0ca141f4953 100644
--- a/detection-rules/attachment_eicar.yml
+++ b/detection-rules/attachment_eicar.yml
@@ -1,7 +1,7 @@
name: "Attachment: EICAR String Present"
description: |
This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities.
-
+
For performance reasons, this rule is limited to attachments with "eicar" in the file name.
references:
- "https://www.eicar.org/download-anti-malware-testfile/"
@@ -18,4 +18,8 @@ source: |
))
tags:
- "EICAR"
+attack_types:
+ - "Malware/Ransomware"
+detection_methods:
+ - "File analysis"
id: "592e2319-9e4f-5e3d-9b34-22259ddc3416"
diff --git a/detection-rules/attachment_eml_cred_theft.yml b/detection-rules/attachment_eml_cred_theft.yml
index 4d63e828e19..88e8063435f 100644
--- a/detection-rules/attachment_eml_cred_theft.yml
+++ b/detection-rules/attachment_eml_cred_theft.yml
@@ -1,6 +1,6 @@
name: "Attachment: EML with link to credential phishing page"
description: |
- Attached EML contains a link which uses language resembling credential phishing.
+ Attached EML links to a credential phishing site.
type: "rule"
severity: "medium"
source: |
@@ -12,18 +12,10 @@ source: |
.domain.domain in $free_file_hosts or
.domain.root_domain in $free_subdomain_hosts
)
-
and any(.scan.url.urls,
- // another option is using credphish disposition,
- // we're just waiting on an update to flag Adobe on indd[.]adobe[.]com
- any(file.explode(beta.linkanalysis(.).screenshot),
- any(ml.nlu_classifier(.scan.ocr.raw).intents,
- .name == "cred_theft" and
- .confidence == "high"
- )
- )
+ beta.linkanalysis(.).credphish.disposition == "phishing"
)
- )
+ )
)
// engaging language in the original body
@@ -36,9 +28,21 @@ source: |
and not any(headers.references,
strings.contains(body.html.display_text, .)
)
-tags:
- - "Suspicious attachment"
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+ - "Free file host"
+ - "Free subdomain host"
+ - "Social engineering"
+detection_methods:
+ - "Computer Vision"
+ - "Content analysis"
+ - "File analysis"
+ - "Header analysis"
+ - "HTML analysis"
- "Natural Language Understanding"
- - "Credential phishing"
+ - "Optical Character Recognition"
+ - "URL analysis"
+ - "URL screenshot"
id: "1df41cca-369a-5bff-83cc-0f9ddf1ff007"
diff --git a/detection-rules/attachment_eml_file_with_ipfs_links.yml b/detection-rules/attachment_eml_file_with_ipfs_links.yml
index ced2a638495..2797732d568 100644
--- a/detection-rules/attachment_eml_file_with_ipfs_links.yml
+++ b/detection-rules/attachment_eml_file_with_ipfs_links.yml
@@ -8,12 +8,12 @@ type: "rule"
severity: "medium"
source: |
type.inbound
-
+
and any(attachments, .content_type == "message/rfc822"
and any(file.explode(.),
any(.scan.url.urls,
strings.icontains(beta.linkanalysis(.).effective_url.url, 'ipfs')
-
+
or (
regex.icontains(beta.linkanalysis(.).effective_url.path, '[\.-/]ipfs|ipfs[\.-/]')
and beta.linkanalysis(.).effective_url.domain.domain not in $org_domains
@@ -31,8 +31,14 @@ source: |
)
)
)
-
-tags:
- - "Suspicious attachment"
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+ - "Free file host"
+ - "Free subdomain host"
+ - "IPFS"
+detection_methods:
+ - "File analysis"
+ - "URL analysis"
id: "1fe9d7e7-892b-5b7f-a334-53b3fbddb9fe"
diff --git a/detection-rules/attachment_eml_html_attachment_portal.yml b/detection-rules/attachment_eml_html_attachment_portal.yml
index 5a752414260..5dc69446d86 100644
--- a/detection-rules/attachment_eml_html_attachment_portal.yml
+++ b/detection-rules/attachment_eml_html_attachment_portal.yml
@@ -5,48 +5,84 @@ type: "rule"
severity: "high"
source: |
type.inbound
+
// exclude bounce backs & read receipts
and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
and not regex.icontains(subject.subject, "^(undeliverable|read:)")
and not any(attachments, .content_type == "message/delivery-status")
+
// if the "References" is in the body of the message, it's probably a bounce
- and not any(headers.references,
- strings.contains(body.html.display_text, .)
+ and not any(headers.references, strings.contains(body.html.display_text, .))
+ and (
+ (length(headers.references) == 0 and headers.in_reply_to is null)
+ or (
+ not strings.istarts_with(subject.subject, "re:")
+ and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+ and not any(headers.hops, strings.ilike(.signature.headers, "*:reply-to"))
+ )
)
- and any(attachments, .content_type == "message/rfc822"
- and any(file.explode(.),
- (
- // suspicious strings found in javascript
- length(filter(.scan.javascript.strings, strings.ilike(.,
- "*username*", "*login-form*", "*email-form*", "*Incorrect password. Please try again.*", "*Password Incomplete, please try again*"
- ))) >= 3 or
- (
- // suspicious strings found outside of javascript, but binexplode'd file still of HTML type
- .flavors.mime in~ ("text/html", "text/plain") and
- length(filter(.scan.strings.strings, strings.ilike(.,
- "*username*", "*login-form*", "*email-form*", "*Incorrect password. Please try again.*", "*Password Incomplete, please try again*"
- ))) >= 3
- )
- ) or
- //Known phishing obfuscation
- (
- length(
- filter(
- .scan.strings.strings, strings.ilike(.,
- //Enter password
- "*Enter password*",
- //Forgotten my password
- "*Forgotten my password*",
- //Sign in
- "*Sign in*"
+ and any(attachments,
+ .content_type == "message/rfc822"
+ and any(file.explode(.),
+ (
+ // suspicious strings found in javascript
+ length(filter(.scan.javascript.strings,
+ strings.ilike(.,
+ "*username*",
+ "*login-form*",
+ "*email-form*",
+ "*Incorrect password. Please try again.*",
+ "*Password Incomplete, please try again*"
+ )
+ )
)
- )
- ) >= 2
- )
- )
+ >= 3
+ or (
+
+ // suspicious strings found outside of javascript, but binexplode'd file still of HTML type
+ .flavors.mime in~ ("text/html", "text/plain")
+ and length(filter(.scan.strings.strings,
+ strings.ilike(.,
+ "*username*",
+ "*login-form*",
+ "*email-form*",
+ "*Incorrect password. Please try again.*",
+ "*Password Incomplete, please try again*"
+ )
+ )
+ )
+ >= 3
+ )
+ )
+ or
+
+ //Known phishing obfuscation
+ (
+ length(filter(.scan.strings.strings,
+ strings.ilike(.,
+ //Enter password
+ "*Enter password*",
+ //Forgotten my password
+ "*Forgotten my password*",
+ //Sign in
+ "*Sign in*"
+ )
+ )
+ )
+ >= 2
+ )
+ )
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
- "HTML smuggling"
- - "Credential phishing"
-id: "6e4df158-6498-572b-9448-a343c531e5f9"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
+ - "Header analysis"
+ - "HTML analysis"
+ - "Javascript analysis"
+ - "Sender analysis"
+id: "6e4df158-6498-572b-9448-a343c531e5f9"
\ No newline at end of file
diff --git a/detection-rules/attachment_eml_suspicious_link_language.yml b/detection-rules/attachment_eml_suspicious_link_language.yml
index 11707ce6bfb..6e56eff21fa 100644
--- a/detection-rules/attachment_eml_suspicious_link_language.yml
+++ b/detection-rules/attachment_eml_suspicious_link_language.yml
@@ -49,8 +49,18 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious attachment"
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+ - "Free file host"
+ - "Free subdomain host"
+ - "Social engineering"
+detection_methods:
+ - "File analysis"
+ - "Header analysis"
+ - "HTML analysis"
- "Natural Language Understanding"
+ - "Sender analysis"
+ - "URL analysis"
id: "2038ffcc-c38e-5cb3-8594-7f40c112d08c"
diff --git a/detection-rules/attachment_eml_with_html_attachment.yml b/detection-rules/attachment_eml_with_html_attachment.yml
index e9daeb73e9c..221f4a1e697 100644
--- a/detection-rules/attachment_eml_with_html_attachment.yml
+++ b/detection-rules/attachment_eml_with_html_attachment.yml
@@ -54,7 +54,17 @@ source: |
)
)
tags:
- - "Suspicious attachment"
- - "HTML smuggling"
- "Attack surface reduction"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "HTML smuggling"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
+ - "Header analysis"
+ - "HTML analysis"
+ - "Sender analysis"
id: "c24fd191-1685-5cb8-83ef-618225401332"
diff --git a/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml b/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml
index 97c7061d169..dd39e0e495a 100644
--- a/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml
+++ b/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml
@@ -28,6 +28,15 @@ source: |
)
)
tags:
- - "Suspicious attachment"
- - "Emotet"
+ - "Malfam: Emotet"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "Exif analysis"
+ - "File analysis"
+ - "Sender analysis"
id: "9a5332ed-0023-5d6e-89d3-bd789c3bde6f"
diff --git a/detection-rules/attachment_encrypted_ole_unsolicited.yml b/detection-rules/attachment_encrypted_ole_unsolicited.yml
index f1ba0ee9404..db7335545c1 100644
--- a/detection-rules/attachment_encrypted_ole_unsolicited.yml
+++ b/detection-rules/attachment_encrypted_ole_unsolicited.yml
@@ -22,7 +22,15 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious attachment"
- - "Encrypted attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Encryption"
+ - "Macros"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "OLE analysis"
+ - "Sender analysis"
id: "1e47e953-576c-5ba9-b84e-b72a1a89de87"
diff --git a/detection-rules/attachment_excel_web_query_file_iqy.yml b/detection-rules/attachment_excel_web_query_file_iqy.yml
index 9c31f4499f4..5c9666f5fa5 100644
--- a/detection-rules/attachment_excel_web_query_file_iqy.yml
+++ b/detection-rules/attachment_excel_web_query_file_iqy.yml
@@ -20,6 +20,12 @@ source: |
)
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
id: "510412b5-1926-538f-a510-d796ecd2dc2d"
diff --git a/detection-rules/attachment_filename_with_unicode_rtlo.yml b/detection-rules/attachment_filename_with_unicode_rtlo.yml
index ae4ee1e7888..4bc236eae92 100644
--- a/detection-rules/attachment_filename_with_unicode_rtlo.yml
+++ b/detection-rules/attachment_filename_with_unicode_rtlo.yml
@@ -18,6 +18,11 @@ source: |
)
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
id: "357c57a1-dd29-5ad8-ae2f-c4f4c6489575"
diff --git a/detection-rules/attachment_free_subdomain_suspicious_link_language.yml b/detection-rules/attachment_free_subdomain_suspicious_link_language.yml
index fbef8fd5214..3dad2cd4cab 100644
--- a/detection-rules/attachment_free_subdomain_suspicious_link_language.yml
+++ b/detection-rules/attachment_free_subdomain_suspicious_link_language.yml
@@ -16,7 +16,7 @@ source: |
)
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
-
+
and any(body.links,
any(file.explode(beta.linkanalysis(.).screenshot),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
@@ -24,7 +24,15 @@ source: |
)
)
)
-tags:
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Free subdomain host"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
- "Natural Language Understanding"
- - "Suspicious link"
+ - "Optical Character Recognition"
+ - "URL analysis"
+ - "URL screenshot"
id: "9187479c-8941-5f28-88fe-0735fd2a86bc"
diff --git a/detection-rules/attachment_html_all_script.yml b/detection-rules/attachment_html_all_script.yml
new file mode 100644
index 00000000000..f6c6ff606a7
--- /dev/null
+++ b/detection-rules/attachment_html_all_script.yml
@@ -0,0 +1,34 @@
+name: "Attachment: HTML file contains exclusively Javascript"
+description: |
+ Attached HTML file does not contain any HTML other than a ")
+ )
+ )
+ )
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+id: "b6d38168-20bb-5550-8843-6af9426af8b1"
diff --git a/detection-rules/attachment_html_attachment_login_page.yml b/detection-rules/attachment_html_attachment_login_page.yml
index f6c2fc066fb..1838f3cdc13 100644
--- a/detection-rules/attachment_html_attachment_login_page.yml
+++ b/detection-rules/attachment_html_attachment_login_page.yml
@@ -11,7 +11,7 @@ authors:
- twitter: "ajpc500"
source: |
type.inbound
-
+
and any(attachments,
(
.file_extension in~ ("html", "htm", "shtml", "dhtml") or
@@ -60,7 +60,15 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
- "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "HTML analysis"
+ - "Javascript analysis"
+ - "Sender analysis"
id: "3aabf4a7-fefa-5266-83fe-012002c9db4a"
diff --git a/detection-rules/attachment_html_excessive_padding.yml b/detection-rules/attachment_html_excessive_padding.yml
index 84fc944fe9e..c77855d95b5 100644
--- a/detection-rules/attachment_html_excessive_padding.yml
+++ b/detection-rules/attachment_html_excessive_padding.yml
@@ -15,7 +15,14 @@ source: |
any(.scan.yara.matches, .name == "HTML_EXCESSIVE_PADDING")
)
)
-tags:
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
- "HTML smuggling"
- - "Suspicious attachment"
+detection_methods:
+ - "File analysis"
+ - "HTML analysis"
+ - "YARA"
id: "0a6aee1e-df58-5f1e-8f49-477ed61babe5"
diff --git a/detection-rules/attachment_html_recipients_suspicious_js.yml b/detection-rules/attachment_html_recipients_suspicious_js.yml
index 79f87f251af..1b16511c01d 100644
--- a/detection-rules/attachment_html_recipients_suspicious_js.yml
+++ b/detection-rules/attachment_html_recipients_suspicious_js.yml
@@ -29,9 +29,15 @@ source: |
)
)
)
-tags:
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
- "HTML smuggling"
- - "Suspicious attachments"
- - "Credential phishing"
-
+ - "Scripting"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
+ - "Javascript analysis"
+ - "YARA"
id: "5333493d-48a8-532d-a621-d278a59bbf9b"
diff --git a/detection-rules/attachment_html_smuggling_atob.yml b/detection-rules/attachment_html_smuggling_atob.yml
index f996d0dfaae..22a231df0c6 100644
--- a/detection-rules/attachment_html_smuggling_atob.yml
+++ b/detection-rules/attachment_html_smuggling_atob.yml
@@ -31,7 +31,18 @@ source: |
)
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
+ - "Javascript analysis"
+ - "Sender analysis"
+ - "URL analysis"
id: "03fcac11-ffc9-5a9c-9e1e-c866e683b48e"
diff --git a/detection-rules/attachment_html_smuggling_auto_file_download.yml b/detection-rules/attachment_html_smuggling_auto_file_download.yml
index 3060a4f4f3b..23a25411362 100644
--- a/detection-rules/attachment_html_smuggling_auto_file_download.yml
+++ b/detection-rules/attachment_html_smuggling_auto_file_download.yml
@@ -32,7 +32,18 @@ source: |
)
)
)
-tags:
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "HTML smuggling"
- - "Suspicious attachment"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
+ - "Javascript analysis"
+ - "Sender analysis"
+ - "URL analysis"
id: "abf724f5-d59e-546c-aec2-3f1bc0e2f14b"
diff --git a/detection-rules/attachment_html_smuggling_concatenation_obfuscation.yml b/detection-rules/attachment_html_smuggling_concatenation_obfuscation.yml
index 25679d0929f..03ef8b93fba 100644
--- a/detection-rules/attachment_html_smuggling_concatenation_obfuscation.yml
+++ b/detection-rules/attachment_html_smuggling_concatenation_obfuscation.yml
@@ -20,7 +20,16 @@ source: |
)
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
- "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
id: "108ab346-bc11-5f96-916c-678891332ae8"
diff --git a/detection-rules/attachment_html_smuggling_double_encoded_zip.yml b/detection-rules/attachment_html_smuggling_double_encoded_zip.yml
index 57496000133..a931b1c87cb 100644
--- a/detection-rules/attachment_html_smuggling_double_encoded_zip.yml
+++ b/detection-rules/attachment_html_smuggling_double_encoded_zip.yml
@@ -1,45 +1,55 @@
-name: "Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment"
-description: |
- Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.
-references:
- - "https://twitter.com/pr0xylife/status/1593325734004768770"
- - "https://github.com/Neo23x0/signature-base/blob/master/yara/mal_qbot_payloads.yar"
- - "https://delivr.to/payloads?id=0e04949a-24f3-4acd-b77c-bbffc4cb3cb9"
- - "https://delivr.to/payloads?id=ef39f124-6766-491c-a46c-00f2b60aa7a7"
-type: "rule"
-severity: "high"
-authors:
- - twitter: "ajpc500"
-source: |
- type.inbound
- and (
- (
- sender.email.domain.root_domain in $free_email_providers
- and sender.email.email not in $sender_emails
- )
- or (
- sender.email.domain.root_domain not in $free_email_providers
- and sender.email.domain.domain not in $sender_domains
- )
- )
- and any(attachments,
- .file_extension in ("html", "htm") and
- any(file.explode(.),
- any(.scan.strings.strings, strings.ilike(.,
- // Double Base64 encoded zips
- "*VUVzREJCUUFBUUFJQ*",
- "*VFc0RCQlFBQVFBSU*",
- "*VRXNEQkJRQUFRQUlB*",
- // Reversed base64 strings double encoded zips
- "*QJFUUBFUUCJERzVUV*",
- "*USBFVQBFlQCR0cFV*",
- "*BlUQRFUQRJkQENXRV*"
- )
- ))
- )
-tags:
- - "Suspicious attachment"
- - "HTML smuggling"
- - "QakBot"
- - "Malware"
-id: "61ebb07b-264e-59fb-a82c-d91957991081"
+name: "Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment"
+description: |
+ Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content.
+references:
+ - "https://twitter.com/pr0xylife/status/1593325734004768770"
+ - "https://github.com/Neo23x0/signature-base/blob/master/yara/mal_qbot_payloads.yar"
+ - "https://delivr.to/payloads?id=0e04949a-24f3-4acd-b77c-bbffc4cb3cb9"
+ - "https://delivr.to/payloads?id=ef39f124-6766-491c-a46c-00f2b60aa7a7"
+type: "rule"
+severity: "high"
+authors:
+ - twitter: "ajpc500"
+source: |
+ type.inbound
+ and (
+ (
+ sender.email.domain.root_domain in $free_email_providers
+ and sender.email.email not in $sender_emails
+ )
+ or (
+ sender.email.domain.root_domain not in $free_email_providers
+ and sender.email.domain.domain not in $sender_domains
+ )
+ )
+ and any(attachments,
+ .file_extension in ("html", "htm") and
+ any(file.explode(.),
+ any(.scan.strings.strings, strings.ilike(.,
+ // Double Base64 encoded zips
+ "*VUVzREJCUUFBUUFJQ*",
+ "*VFc0RCQlFBQVFBSU*",
+ "*VRXNEQkJRQUFRQUlB*",
+ // Reversed base64 strings double encoded zips
+ "*QJFUUBFUUCJERzVUV*",
+ "*USBFVQBFlQCR0cFV*",
+ "*BlUQRFUQRJkQENXRV*"
+ )
+ ))
+ )
+tags:
+ - "Malfam: QakBot"
+attack_types:
+ - "Malware/Ransomware"
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+ - "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
+ - "Sender analysis"
+id: "61ebb07b-264e-59fb-a82c-d91957991081"
diff --git a/detection-rules/attachment_html_smuggling_embedded_b64_iso.yml b/detection-rules/attachment_html_smuggling_embedded_b64_iso.yml
index 649536690c9..43ee40b7a9e 100644
--- a/detection-rules/attachment_html_smuggling_embedded_b64_iso.yml
+++ b/detection-rules/attachment_html_smuggling_embedded_b64_iso.yml
@@ -2,8 +2,8 @@ name: "Attachment: HTML smuggling with embedded base64-encoded ISO"
description: |
HTML attachment contains a base-64 encoded ISO. This is a known TTP for multiple threat actors.
references:
- - "https://delivr.to/payloads?id=cf6c9867-4358-4b3b-b7eb-3432ac39e71d"
- - "https://playground.sublimesecurity.com?id=78587abf-1027-4c6c-9edf-c1bd928de97a"
+ - "https://delivr.to/payloads?id=cf6c9867-4358-4b3b-b7eb-3432ac39e71d"
+ - "https://playground.sublimesecurity.com?id=78587abf-1027-4c6c-9edf-c1bd928de97a"
type: "rule"
severity: "high"
source: |
@@ -25,7 +25,17 @@ source: |
)
))
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
- "HTML smuggling"
+ - "ISO"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
+ - "Sender analysis"
id: "294ecd2d-bc98-5a67-850a-60a1a29aea76"
diff --git a/detection-rules/attachment_html_smuggling_embedded_b64_pe.yml b/detection-rules/attachment_html_smuggling_embedded_b64_pe.yml
index 60a3cb7968c..496c97e06f6 100644
--- a/detection-rules/attachment_html_smuggling_embedded_b64_pe.yml
+++ b/detection-rules/attachment_html_smuggling_embedded_b64_pe.yml
@@ -2,9 +2,9 @@ name: "Attachment: HTML smuggling with embedded base64-encoded executable"
description: |
HTML attachmemt contains a base-64 encoded executable.
references:
- - "https://delivr.to/payloads?id=739e977c-8e8f-4ba8-940a-c53ba77cecca"
- - "https://www.microsoft.com/en-us/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium"
- - "https://sandbox.sublimesecurity.com?id=28fe5e67-2dec-4072-a263-24ee53cc54c3"
+ - "https://delivr.to/payloads?id=739e977c-8e8f-4ba8-940a-c53ba77cecca"
+ - "https://www.microsoft.com/en-us/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium"
+ - "https://sandbox.sublimesecurity.com?id=28fe5e67-2dec-4072-a263-24ee53cc54c3"
type: "rule"
severity: "high"
source: |
@@ -18,7 +18,14 @@ source: |
and any(file.explode(.),
any(.flavors.yara, . == 'base64_pe'))
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
- "HTML smuggling"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "HTML analysis"
+ - "YARA"
id: "b00c4527-957c-53ba-9eee-c5ef555b24e3"
diff --git a/detection-rules/attachment_html_smuggling_embedded_base64_file_download.yml b/detection-rules/attachment_html_smuggling_embedded_base64_file_download.yml
index 4e4501ac177..bc152efce18 100644
--- a/detection-rules/attachment_html_smuggling_embedded_base64_file_download.yml
+++ b/detection-rules/attachment_html_smuggling_embedded_base64_file_download.yml
@@ -19,7 +19,16 @@ source: |
)
)
tags:
+ - "Malfam: QakBot"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "HTML smuggling"
- - "Suspicious link"
- - "QakBot"
+ - "Scripting"
+ - "Social engineering"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
id: "e04de4e2-154f-5cf9-b108-dbf753ece511"
diff --git a/detection-rules/attachment_html_smuggling_entropy.yml b/detection-rules/attachment_html_smuggling_entropy.yml
index f66ded602f9..69d3ee01881 100644
--- a/detection-rules/attachment_html_smuggling_entropy.yml
+++ b/detection-rules/attachment_html_smuggling_entropy.yml
@@ -23,7 +23,15 @@ source: |
)
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
- "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
id: "be157288-1955-5ad1-bd6e-4e862248274b"
diff --git a/detection-rules/attachment_html_smuggling_eval_atob.yml b/detection-rules/attachment_html_smuggling_eval_atob.yml
index 440c5840c3d..7a3e89c662a 100644
--- a/detection-rules/attachment_html_smuggling_eval_atob.yml
+++ b/detection-rules/attachment_html_smuggling_eval_atob.yml
@@ -16,7 +16,17 @@ source: |
any(.scan.strings.strings, regex.imatch(., ".*eval.{1,4}atob.*"))
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
- "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
+ - "Javascript analysis"
id: "9f521ca2-2141-5373-86b1-e3cf8ed8d633"
diff --git a/detection-rules/attachment_html_smuggling_fromcharcode_and_others.yml b/detection-rules/attachment_html_smuggling_fromcharcode_and_others.yml
index 9bb94fd1986..6ea62440e16 100644
--- a/detection-rules/attachment_html_smuggling_fromcharcode_and_others.yml
+++ b/detection-rules/attachment_html_smuggling_fromcharcode_and_others.yml
@@ -23,7 +23,17 @@ source: |
"catch" in .scan.javascript.keywords
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
- "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "Javascript analysis"
+ - "HTML analysis"
id: "a68ce0ef-dc81-5889-8d0d-735e3521d735"
diff --git a/detection-rules/attachment_html_smuggling_hex_strings.yml b/detection-rules/attachment_html_smuggling_hex_strings.yml
index 35a4ca210ca..25e6610ab9f 100644
--- a/detection-rules/attachment_html_smuggling_hex_strings.yml
+++ b/detection-rules/attachment_html_smuggling_hex_strings.yml
@@ -23,7 +23,16 @@ source: |
)
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
- "HTML smuggling"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
+ - "Javascript analysis"
id: "b4208ed6-fdde-5165-a5ca-1fe469c64046"
diff --git a/detection-rules/attachment_html_smuggling_location.yml b/detection-rules/attachment_html_smuggling_location.yml
index eddf7350bd1..f18a6b260b6 100644
--- a/detection-rules/attachment_html_smuggling_location.yml
+++ b/detection-rules/attachment_html_smuggling_location.yml
@@ -19,7 +19,17 @@ source: |
and length(.scan.javascript.identifiers) < 100
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
- "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "Javascript analysis"
+ - "HTML analysis"
id: "e0611295-afb2-5766-ac37-00fe81253487"
diff --git a/detection-rules/attachment_html_smuggling_microsoft_signin.yml b/detection-rules/attachment_html_smuggling_microsoft_signin.yml
index e5a94a3e37e..8c7359a0542 100644
--- a/detection-rules/attachment_html_smuggling_microsoft_signin.yml
+++ b/detection-rules/attachment_html_smuggling_microsoft_signin.yml
@@ -36,7 +36,19 @@ source: |
)
// allow Microsoft domains just to be safe
and sender.email.domain.root_domain not in~ ('microsoft.com', 'microsoftsupport.com', 'office.com')
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Free subdomain host"
- "HTML smuggling"
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "Header analysis"
+ - "Javascript analysis"
+ - "Sender analysis"
+ - "URL analysis"
id: "878d6385-95c2-5540-a887-a6fa9456409c"
diff --git a/detection-rules/attachment_html_smuggling_raw_buffer.yml b/detection-rules/attachment_html_smuggling_raw_buffer.yml
index eb554c8733e..7962e6fa060 100644
--- a/detection-rules/attachment_html_smuggling_raw_buffer.yml
+++ b/detection-rules/attachment_html_smuggling_raw_buffer.yml
@@ -24,7 +24,16 @@ source: |
)
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "Free subdomain host"
- "HTML smuggling"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "Javascript analysis"
id: "a0d5c3dc-0763-5579-919e-456e5a37bd6f"
diff --git a/detection-rules/attachment_html_smuggling_rc4.yml b/detection-rules/attachment_html_smuggling_rc4.yml
index 84583c1ddb4..5172cd98bc7 100644
--- a/detection-rules/attachment_html_smuggling_rc4.yml
+++ b/detection-rules/attachment_html_smuggling_rc4.yml
@@ -18,7 +18,18 @@ source: |
and any(file.explode(.),
any(.scan.strings.strings, strings.ilike(., "*?[(?[?]+?[?])%256]*")))
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Encryption"
+ - "Evasion"
- "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
+ - "Javascript analysis"
id: "3a46d765-4b27-5026-9b8e-043e3817854b"
diff --git a/detection-rules/attachment_html_smuggling_rot13.yml b/detection-rules/attachment_html_smuggling_rot13.yml
index 77d9cceb8ed..6f129e3d32f 100644
--- a/detection-rules/attachment_html_smuggling_rot13.yml
+++ b/detection-rules/attachment_html_smuggling_rot13.yml
@@ -21,7 +21,18 @@ source: |
and length(.scan.javascript.identifiers) < 100
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Encryption"
+ - "Evasion"
- "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "Javascript analysis"
+ - "HTML analysis"
id: "6eacc4cf-9357-5441-9380-b561fa630d65"
diff --git a/detection-rules/attachment_html_smuggling_settimeout.yml b/detection-rules/attachment_html_smuggling_settimeout.yml
index c43e57d571d..75ffc820492 100644
--- a/detection-rules/attachment_html_smuggling_settimeout.yml
+++ b/detection-rules/attachment_html_smuggling_settimeout.yml
@@ -16,7 +16,17 @@ source: |
and any(.scan.strings.strings, strings.ilike(., "*location.href*"))
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
- "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
+ - "Javascript analysis"
id: "4e0b2c32-d176-5351-9b74-1636179a8cda"
diff --git a/detection-rules/attachment_html_smuggling_unescape.yml b/detection-rules/attachment_html_smuggling_unescape.yml
index 422df259f4d..c422585275e 100644
--- a/detection-rules/attachment_html_smuggling_unescape.yml
+++ b/detection-rules/attachment_html_smuggling_unescape.yml
@@ -16,7 +16,16 @@ source: |
and any(file.explode(.),
any(.scan.javascript.identifiers, . == "unescape"))
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
- "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "HTML analysis"
+ - "Javascript analysis"
id: "0b0fed36-735a-50f1-bf10-6673237a4623"
diff --git a/detection-rules/attachment_ics_embedded_document.yml b/detection-rules/attachment_ics_embedded_document.yml
index f9271b300b7..11e2ef560b7 100644
--- a/detection-rules/attachment_ics_embedded_document.yml
+++ b/detection-rules/attachment_ics_embedded_document.yml
@@ -19,6 +19,10 @@ source: |
)
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "File analysis"
id: "8f9957d9-a06a-5c5a-83af-2dc5c25bed86"
diff --git a/detection-rules/attachment_ics_link_to_executable_suspicious_language.yml b/detection-rules/attachment_ics_link_to_executable_suspicious_language.yml
index a680c9aafd0..119efb8056d 100644
--- a/detection-rules/attachment_ics_link_to_executable_suspicious_language.yml
+++ b/detection-rules/attachment_ics_link_to_executable_suspicious_language.yml
@@ -19,7 +19,12 @@ source: |
)
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "Social engineering"
+detection_methods:
+ - "File analysis"
- "Natural Language Understanding"
id: "7dd310ca-8939-52f3-b840-16ee5679d837"
diff --git a/detection-rules/attachment_js_file_execution.yml b/detection-rules/attachment_js_file_execution.yml
index 85da6e34d0a..fc73efcddaa 100644
--- a/detection-rules/attachment_js_file_execution.yml
+++ b/detection-rules/attachment_js_file_execution.yml
@@ -24,6 +24,15 @@ source: |
)
)
tags:
- - "Suspicious attachment"
- "Attack surface reduction"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "Javascript analysis"
+ - "Sender analysis"
id: "627ae0b1-fbe7-58cf-ba7d-0cf51b806c8a"
diff --git a/detection-rules/attachment_lnk_file.yml b/detection-rules/attachment_lnk_file.yml
index 533d85051fb..08febe29f57 100644
--- a/detection-rules/attachment_lnk_file.yml
+++ b/detection-rules/attachment_lnk_file.yml
@@ -18,6 +18,11 @@ source: |
and any(file.explode(.), .file_extension =~ "lnk")
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "LNK"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
id: "44532abe-f65f-54e6-afe2-d4589e4253ae"
diff --git a/detection-rules/attachment_lnk_file_with_embedded_content.yml b/detection-rules/attachment_lnk_file_with_embedded_content.yml
index f9c9b36b71e..24e9fce3974 100644
--- a/detection-rules/attachment_lnk_file_with_embedded_content.yml
+++ b/detection-rules/attachment_lnk_file_with_embedded_content.yml
@@ -23,7 +23,16 @@ source: |
)
)
)
-
tags:
- - "Suspicious attachment"
+ - "Malfam: Emotet"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Exploit"
+ - "LNK"
+ - "Scripting"
+detection_methods:
+ - "Content analysis"
+ - "Exif analysis"
+ - "File analysis"
id: "41452f7a-c77d-5259-a5fb-91b1b4419364"
diff --git a/detection-rules/attachment_macro_dll_loader.yml b/detection-rules/attachment_macro_dll_loader.yml
index 26e5c2d83be..110c4bcb136 100644
--- a/detection-rules/attachment_macro_dll_loader.yml
+++ b/detection-rules/attachment_macro_dll_loader.yml
@@ -34,8 +34,16 @@ source: |
)
)
)
-tags:
- - "Suspicious attachment"
- - "Office exploit"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Exploit"
+ - "LNK"
- "Macros"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "Macro analysis"
+ - "YARA"
id: "3a193f5f-1596-54d8-8fd7-1e09e63e6ea4"
diff --git a/detection-rules/attachment_malicious_onenote_commands.yml b/detection-rules/attachment_malicious_onenote_commands.yml
index 2a68dd2ce80..5e9422f5c44 100644
--- a/detection-rules/attachment_malicious_onenote_commands.yml
+++ b/detection-rules/attachment_malicious_onenote_commands.yml
@@ -36,7 +36,14 @@ source: |
)
)
)
-tags:
- - "Suspicious attachment"
- - "Malware"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "OneNote"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "YARA"
id: "7319f0eb-a3c7-5320-a4ae-6fbf7952369e"
diff --git a/detection-rules/attachment_malwarebazaar.yml b/detection-rules/attachment_malwarebazaar.yml
index 9bc890f99c7..96091611291 100644
--- a/detection-rules/attachment_malwarebazaar.yml
+++ b/detection-rules/attachment_malwarebazaar.yml
@@ -1,6 +1,5 @@
name: "MalwareBazaar: Malicious attachment hash (trusted reporters)"
-description: "Detects if an attachment's SHA256 hash matches a SHA256 hash reported as malware
- on MalwareBazaar by trusted reporters from first-time senders."
+description: "Detects if an attachment's SHA256 hash matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from first-time senders."
type: "rule"
severity: "medium"
source: |
@@ -17,8 +16,11 @@ source: |
)
)
tags:
- - "MalwareBazaar"
- - "Abusech"
- - "Suspicious attachment"
- - "Malware"
+ - "Abusech: MalwareBazaar"
+attack_types:
+ - "Malware/Ransomware"
+detection_methods:
+ - "File analysis"
+ - "Sender analysis"
+ - "Threat intelligence"
id: "5b5c9c3e-92c2-56cd-ad0d-1a2e195fa2b4"
diff --git a/detection-rules/attachment_mht_embedded_vbscript.yml b/detection-rules/attachment_mht_embedded_vbscript.yml
index eb446f00df6..eb726a3b679 100644
--- a/detection-rules/attachment_mht_embedded_vbscript.yml
+++ b/detection-rules/attachment_mht_embedded_vbscript.yml
@@ -33,7 +33,14 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious attachment"
- - "Malware"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "HTML analysis"
+ - "Sender analysis"
id: "b30353a6-773e-5b6d-9252-751b5bc95799"
diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml
index 4fda032ffce..63e026b0764 100644
--- a/detection-rules/attachment_microsoft_image_lure_qr_code.yml
+++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml
@@ -45,8 +45,15 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious attachment"
- - "Brand impersonation"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
- "QR code"
+ - "Social engineering"
+detection_methods:
+ - "Computer Vision"
+ - "Header analysis"
+ - "QR code analysis"
+ - "Sender analysis"
id: "ed0f772a-6543-5947-80d1-55a11ea63074"
diff --git a/detection-rules/attachment_msi_installer.yml b/detection-rules/attachment_msi_installer.yml
index 27ffb0b5538..3f2809e0f14 100644
--- a/detection-rules/attachment_msi_installer.yml
+++ b/detection-rules/attachment_msi_installer.yml
@@ -3,7 +3,7 @@ description: |
Recursively scans files and archives to detect MSI installer files.
Coercing a target user to run an MSI can be used as part of an 'IT Support' or 'software update' social engineering attack.
-
+
Execution of the delivered MSI could enable the attacker to execute malicious code on the target user's host.
references:
- "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"
@@ -24,6 +24,11 @@ source: |
)
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
id: "ae17b1a9-41e3-513c-9762-0c3fd30b9818"
diff --git a/detection-rules/attachment_office365_image.yml b/detection-rules/attachment_office365_image.yml
index 2dcbccdff5a..c5b859c224b 100644
--- a/detection-rules/attachment_office365_image.yml
+++ b/detection-rules/attachment_office365_image.yml
@@ -84,6 +84,15 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
+ - "Header analysis"
+ - "Optical Character Recognition"
+ - "Sender analysis"
id: "edce0229-5e8f-5359-a5c8-36570840049f"
diff --git a/detection-rules/attachment_office_file_with_vsto.yml b/detection-rules/attachment_office_file_with_vsto.yml
index 7372ad8f65f..e002db57b4c 100644
--- a/detection-rules/attachment_office_file_with_vsto.yml
+++ b/detection-rules/attachment_office_file_with_vsto.yml
@@ -16,6 +16,15 @@ source: |
and strings.ilike(.value, "*.vsto*"))
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "Exif analysis"
+ - "File analysis"
+ - "Sender analysis"
+ - "URL analysis"
id: "27afa730-6dd5-58ec-9deb-ed5170de210d"
diff --git a/detection-rules/attachment_office_remote_doc_template.yml b/detection-rules/attachment_office_remote_doc_template.yml
index 4a7803a156c..4d5a98f36d5 100644
--- a/detection-rules/attachment_office_remote_doc_template.yml
+++ b/detection-rules/attachment_office_remote_doc_template.yml
@@ -20,7 +20,10 @@ source: |
)
)
)
-tags:
- - "Suspicious attachment"
- - "Office exploit"
+attack_types:
+ - "Malware/Ransomware"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "URL analysis"
id: "d9601104-c330-5995-9fae-4d30b969c081"
diff --git a/detection-rules/attachment_pdf_credtheft_link_suspicious_file.yml b/detection-rules/attachment_pdf_credtheft_link_suspicious_file.yml
index ecddad76814..2eba94214f6 100644
--- a/detection-rules/attachment_pdf_credtheft_link_suspicious_file.yml
+++ b/detection-rules/attachment_pdf_credtheft_link_suspicious_file.yml
@@ -21,9 +21,17 @@ source: |
)
)
)
-tags:
+tags:
+ - "Malfam: QakBot"
+attack_types:
+ - "Malware/Ransomware"
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+ - "PDF"
+detection_methods:
+ - "File analysis"
- "Natural Language Understanding"
- - "Suspicious attachment"
- - "Suspicious link"
- - "QakBot"
+ - "Optical Character Recognition"
+ - "URL analysis"
id: "adda3c3f-8966-5f46-9924-234bbaee0a2c"
diff --git a/detection-rules/attachment_pdf_file_fraudulent_cryptocurrency_exchange.yml b/detection-rules/attachment_pdf_file_fraudulent_cryptocurrency_exchange.yml
index 97c4fd3560d..f774f6cec4b 100644
--- a/detection-rules/attachment_pdf_file_fraudulent_cryptocurrency_exchange.yml
+++ b/detection-rules/attachment_pdf_file_fraudulent_cryptocurrency_exchange.yml
@@ -8,17 +8,28 @@ references:
type: "rule"
severity: "low"
source: |
- type.inbound
- and sender.email.domain.root_domain in $free_email_providers
- and length(attachments) == 1
- and all(attachments, .file_extension == "pdf"
- and regex.icontains(.file_name, '(\d\.\d{3,4}.{0,12}BTC|bitcoin)')
- and any(file.explode(.),
- .scan.exiftool.page_count >=5
- and .depth == 0
- and length(filter(.scan.strings.strings, regex.match(.,'^\/URI \(http.*'))) == 1)
- )
+ type.inbound
+ and sender.email.domain.root_domain in $free_email_providers
+ and length(attachments) == 1
+ and all(attachments, .file_extension == "pdf"
+ and regex.icontains(.file_name, '(\d\.\d{3,4}.{0,12}BTC|bitcoin)')
+ and any(file.explode(.),
+ .scan.exiftool.page_count >=5
+ and .depth == 0
+ and length(filter(.scan.strings.strings, regex.match(.,'^\/URI \(http.*'))) == 1)
+ )
tags:
- "Cryptocurrency"
- - "Fraud"
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Free email provider"
+ - "Impersonation: Brand"
+ - "PDF"
+ - "Social engineering"
+detection_methods:
+ - "Exif analysis"
+ - "File analysis"
+ - "Sender analysis"
+ - "URL analysis"
id: "47601cb7-5278-58b1-b503-0456c235a18d"
diff --git a/detection-rules/attachment_pdf_file_with_embedded_content.yml b/detection-rules/attachment_pdf_file_with_embedded_content.yml
index 26e2f7f7afb..65cdf617f72 100644
--- a/detection-rules/attachment_pdf_file_with_embedded_content.yml
+++ b/detection-rules/attachment_pdf_file_with_embedded_content.yml
@@ -47,6 +47,12 @@ source: |
"hta_file"))
)
))
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "PDF"
+detection_methods:
+ - "File analysis"
+ - "Sender analysis"
+ - "YARA"
id: "c2e04516-2e6c-5079-8b67-327578e98315"
diff --git a/detection-rules/attachment_pdf_linking_to_password_protected_file.yml b/detection-rules/attachment_pdf_linking_to_password_protected_file.yml
index 468ae2680c6..1c06ab53db8 100644
--- a/detection-rules/attachment_pdf_linking_to_password_protected_file.yml
+++ b/detection-rules/attachment_pdf_linking_to_password_protected_file.yml
@@ -1,38 +1,47 @@
name: "Attachment: Adobe branded PDF file linking to a password-protected file from first-time sender"
description: |
- Detects pdf files with links to a remotely hosted password-protected file. This is a common technique
- abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat)
+ Detects pdf files with links to a remotely hosted password-protected file. This is a common technique
+ abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat)
type: "rule"
severity: "high"
source: |
- type.inbound
+ type.inbound
- and any(attachments, .file_extension == "pdf"
- and any(file.explode(.),
- any(ml.nlu_classifier(.scan.ocr.raw).intents,
- .name == "cred_theft" and .confidence == "high"
- )
-
- and strings.icontains(.scan.ocr.raw, "password-protected")
-
- and any(ml.nlu_classifier(.scan.ocr.raw).entities,
- .name == "org" and .text == "Adobe"
- )
- )
- )
+ and any(attachments, .file_extension == "pdf"
+ and any(file.explode(.),
+ any(ml.nlu_classifier(.scan.ocr.raw).intents,
+ .name == "cred_theft" and .confidence == "high"
+ )
+
+ and strings.icontains(.scan.ocr.raw, "password-protected")
+
+ and any(ml.nlu_classifier(.scan.ocr.raw).entities,
+ .name == "org" and .text == "Adobe"
+ )
+ )
+ )
- and (
- (
- sender.email.domain.root_domain in $free_email_providers
- and sender.email.email not in $sender_emails
- )
- or (
- sender.email.domain.root_domain not in $free_email_providers
- and sender.email.domain.domain not in $sender_domains
- )
- )
-tags:
- - "Machine Learning"
- - "Suspicious attachment"
+ and (
+ (
+ sender.email.domain.root_domain in $free_email_providers
+ and sender.email.email not in $sender_emails
+ )
+ or (
+ sender.email.domain.root_domain not in $free_email_providers
+ and sender.email.domain.domain not in $sender_domains
+ )
+ )
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Encryption"
+ - "Evasion"
+ - "Impersonation: Brand"
+ - "PDF"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
- "Natural Language Understanding"
+ - "Optical Character Recognition"
+ - "Sender analysis"
id: "5ea75469-58e8-561e-9a19-24da14a946b7"
diff --git a/detection-rules/attachment_pdf_with_google_ae_redirect.yml b/detection-rules/attachment_pdf_with_google_ae_redirect.yml
index 430f1ac7e54..b9e675bd503 100644
--- a/detection-rules/attachment_pdf_with_google_ae_redirect.yml
+++ b/detection-rules/attachment_pdf_with_google_ae_redirect.yml
@@ -2,7 +2,7 @@ name: "PDF attachment with Google (AE) redirecting to a php file"
description: "Detects a PDF attachment with a link that contains a Google.ae redirect URL"
references:
- "https://twitter.com/Cryptolaemus1/status/1649200761610571776?s=20"
- - "https://analyzer.sublime.security?id=142822c9-8195-47bd-96e3-b8a26267c03c"
+ - "https://analyzer.sublime.security?id=142822c9-8195-47bd-96e3-b8a26267c03c"
type: "rule"
severity: "high"
source: |
@@ -20,7 +20,14 @@ source: |
)
)
tags:
- - "Suspicious attachment"
+ - "Malfam: QakBot"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "Open redirect"
- - "QakBot"
+ - "PDF"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
+ - "URL analysis"
id: "57ae513f-54b6-5ddd-9527-449a6d2a23c3"
diff --git a/detection-rules/attachment_pdf_with_link_to_zip_containing_wsf.yml b/detection-rules/attachment_pdf_with_link_to_zip_containing_wsf.yml
index 013537e5211..6cab6954a6b 100644
--- a/detection-rules/attachment_pdf_with_link_to_zip_containing_wsf.yml
+++ b/detection-rules/attachment_pdf_with_link_to_zip_containing_wsf.yml
@@ -1,6 +1,6 @@
name: "Attachment: PDF with link to zip containing a wsf file"
description: "Detects a PDF attachment with a link to a ZIP file that contains a WSF file"
-references:
+references:
- "https://analyzer.sublime.security/?id=596edcf4-507e-4714-8b2d-b1f51c258c70"
- "https://twitter.com/Cryptolaemus1/status/1649091718552379392"
- "https://twitter.com/Cryptolaemus1/status/1650826597333696515"
@@ -26,6 +26,15 @@ source: |
)
)
tags:
- - "Suspicious attachment"
- - "QakBot"
+ - "Malfam: QakBot"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "PDF"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "URL analysis"
id: "93bc7db4-248f-502a-bc9a-919915cbc0fb"
diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml
index 84d163e83e8..da90feb2835 100644
--- a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml
+++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml
@@ -28,8 +28,15 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-
tags:
- - "Suspicious attachment"
- - "Ave Maria"
+ - "Malfam: Ave Maria"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "PDF"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "Sender analysis"
id: "6144f880-a4f0-5776-b7cc-2f89d3bb5000"
diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml
index dcacd0a3bcf..fa4445966f9 100644
--- a/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml
+++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml
@@ -31,6 +31,16 @@ source: |
)
)
tags:
- - "Suspicious attachment"
- - "QakBot"
+ - "Malfam: QakBot"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "PDF"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "Natural Language Understanding"
+ - "Sender analysis"
+ - "URL analysis"
id: "d1ee2859-acd1-5c12-9b74-89439ed1eaf1"
diff --git a/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml b/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml
index 6307626333f..5337ab10cb4 100644
--- a/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml
+++ b/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml
@@ -23,6 +23,12 @@ source: |
))) >= 1
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "Macros"
+detection_methods:
+ - "File analysis"
+ - "Macro analysis"
id: "1c591681-3f02-5d1e-be08-fc1e6793c68b"
diff --git a/detection-rules/attachment_powerpoint_hyperlinks.yml b/detection-rules/attachment_powerpoint_hyperlinks.yml
new file mode 100644
index 00000000000..ffe826ae20a
--- /dev/null
+++ b/detection-rules/attachment_powerpoint_hyperlinks.yml
@@ -0,0 +1,34 @@
+name: "Attachment: PowerPoint with suspicious hyperlink"
+description: |
+ Attached PowerPoint contains a suspicious hyperlink that can execute arbitrary code.
+references:
+ - "https://twitter.com/doc_guard/status/1570190610774257665"
+type: "rule"
+severity: "high"
+source: |
+ type.inbound
+ and any(attachments, (.file_extension in~ ("ppt", "pptx"))
+ and any(file.explode(.),
+ any(.scan.exiftool.fields, .key == "Hyperlinks"
+ and (
+ 4 of (
+ strings.ilike(.value, "*[Convert]::ToChar*"),
+ strings.ilike(.value, "*vbs*"),
+ strings.ilike(.value, "*[IO.File]::Create*"),
+ strings.ilike(.value, "*[IO.File]::Exists*"),
+ strings.ilike(.value, "*[io.FileOPtions]::DeleteOnClose*"),
+ strings.ilike(.value, "*Net.WebClient*"),
+ strings.ilike(.value, "*dll*"),
+ )
+ )
+ )
+ ))
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "Scripting"
+detection_methods:
+ - "Exif analysis"
+ - "File analysis"
+id: "0a999fb1-f44f-54cf-814b-6fd2e83f5704"
diff --git a/detection-rules/attachment_powershell_content.yml b/detection-rules/attachment_powershell_content.yml
index 2cede6a35d9..dd04a89d362 100644
--- a/detection-rules/attachment_powershell_content.yml
+++ b/detection-rules/attachment_powershell_content.yml
@@ -25,6 +25,11 @@ source: |
("ps1", "ps1xml", "psm1", "psd1", "pssc", "psrc", "cdxml", "ps2", "ps2xml", "psc2",)
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
id: "c12566db-83af-506a-b9be-adbc01755999"
diff --git a/detection-rules/attachment_rdp_connection_file.yml b/detection-rules/attachment_rdp_connection_file.yml
index 2be7aef45ed..fe1d1bdf823 100644
--- a/detection-rules/attachment_rdp_connection_file.yml
+++ b/detection-rules/attachment_rdp_connection_file.yml
@@ -21,5 +21,11 @@ source: |
)
)
tags:
- - "Suspicious attachment"
+ - "Attack surface reduction"
+attack_types:
+ - "Malware/Ransomware"
+ - "Credential Phishing"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
id: "2409a422-4116-5a40-b929-c1b47ed5c1e5"
diff --git a/detection-rules/attachment_rtf_embedded_content.yml b/detection-rules/attachment_rtf_embedded_content.yml
index 20ac5f578a8..6b58cfec305 100644
--- a/detection-rules/attachment_rtf_embedded_content.yml
+++ b/detection-rules/attachment_rtf_embedded_content.yml
@@ -17,6 +17,11 @@ source: |
or .file_extension in~ ("bat", "exe", "vbs")
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "File analysis"
+ - "YARA"
id: "61dd2dd7-21cf-58be-bd58-87ae677a00ab"
diff --git a/detection-rules/attachment_sfx_commands.yml b/detection-rules/attachment_sfx_commands.yml
index 705e4539ce7..5a511230f96 100644
--- a/detection-rules/attachment_sfx_commands.yml
+++ b/detection-rules/attachment_sfx_commands.yml
@@ -14,6 +14,11 @@ source: |
and any(.scan.strings.strings, strings.ilike(., 'Setup=*'))
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "Scripting"
+detection_methods:
+ - "File analysis"
id: "343e6c8c-8e46-5f3d-a5ee-c79360f73376"
diff --git a/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml b/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml
index 9c8631918d1..7860c972952 100644
--- a/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml
+++ b/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml
@@ -23,6 +23,13 @@ source: |
))
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Macros"
+ - "Scripting"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
+ - "Macro analysis"
id: "527fc7f0-2750-57e2-bf2f-fbfea88b1004"
diff --git a/detection-rules/attachment_soliciting_enable_macros.yml b/detection-rules/attachment_soliciting_enable_macros.yml
index 03ffa8d6b96..fa6dded2b49 100644
--- a/detection-rules/attachment_soliciting_enable_macros.yml
+++ b/detection-rules/attachment_soliciting_enable_macros.yml
@@ -28,7 +28,14 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "Macros"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "Macro analysis"
+ - "Optical Character Recognition"
+ - "Sender analysis"
id: "e9d75515-8d64-531d-8ccb-9153150d0ee3"
diff --git a/detection-rules/attachment_suspicious_csproj.yml b/detection-rules/attachment_suspicious_csproj.yml
new file mode 100644
index 00000000000..06c22e23675
--- /dev/null
+++ b/detection-rules/attachment_suspicious_csproj.yml
@@ -0,0 +1,28 @@
+name: "Attachment: .csproj with suspicious commands"
+description: |
+ Attached .csproj file contains suspicious commands.
+references:
+ - "https://delivr.to/payloads?id=9d80cf8d-fb68-40fb-8969-4b11f3a29c9f"
+type: "rule"
+severity: "high"
+source: |
+ type.inbound
+ and any(attachments,
+ .file_extension == "csproj"
+ and any(file.explode(.),
+ (
+ (any(.scan.strings.strings, strings.contains(., 'DllImport')))
+ and (any(.scan.strings.strings, strings.icontains(., 'CreateProcess')))
+ )
+ )
+ )
+tags:
+ - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "Scripting"
+detection_methods:
+ - "File analysis"
+id: "fe45b81d-43df-52fc-9bf8-79824819fb51"
diff --git a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml
index 3af7d5e3813..7ddfae736ab 100644
--- a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml
+++ b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml
@@ -19,8 +19,12 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "Macros"
- - "Machine Learning"
+detection_methods:
+ - "File analysis"
+ - "Macro analysis"
+ - "Sender analysis"
id: "37cec120-2757-5e99-a489-1315780dae08"
diff --git a/detection-rules/attachment_svg_embedded_js.yml b/detection-rules/attachment_svg_embedded_js.yml
index 02549b90e3e..6945b1d03ce 100644
--- a/detection-rules/attachment_svg_embedded_js.yml
+++ b/detection-rules/attachment_svg_embedded_js.yml
@@ -39,7 +39,13 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious attachment"
- - "Malware"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "Sender analysis"
+ - "XML analysis"
id: "f70293bc-b6da-5dbd-8756-e3ca282aba35"
diff --git a/detection-rules/attachment_svg_file_execution.yml b/detection-rules/attachment_svg_file_execution.yml
index 7b3472628ef..52db4e75e64 100644
--- a/detection-rules/attachment_svg_file_execution.yml
+++ b/detection-rules/attachment_svg_file_execution.yml
@@ -27,7 +27,12 @@ source: |
and any(.scan.strings.strings, strings.like(., "*Run*", "*Execute*"))
)
)
-tags:
- - "Suspicious attachment"
- - "Malware"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
id: "084b0cde-4352-5624-b1e8-2d9ecd1f7218"
diff --git a/detection-rules/attachment_uncommon_compressed.yml b/detection-rules/attachment_uncommon_compressed.yml
index cb8775fa43c..488e25a7fd9 100644
--- a/detection-rules/attachment_uncommon_compressed.yml
+++ b/detection-rules/attachment_uncommon_compressed.yml
@@ -9,9 +9,13 @@ type: "rule"
severity: "low"
source: |
type.inbound
- and any(attachments, .file_extension in ('tar', 'iso', 'img', 'cab',
- 'gadget', 'uue'))
+ and any(attachments, .file_extension in ('tar', 'iso', 'img', 'cab', 'gadget', 'uue'))
tags:
- - "Suspicious attachment"
- "Attack surface reduction"
-id: "0c6fba7a-b8a9-5491-a32c-411882e10c79"
+attack_types:
+ - "Malware/Ransomware"
+ - "Credential Phishing"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+id: "0c6fba7a-b8a9-5491-a32c-411882e10c79"
\ No newline at end of file
diff --git a/detection-rules/attachment_url_with_unc_path.yml b/detection-rules/attachment_url_with_unc_path.yml
index 86eb9ee8b11..366944f0bd7 100644
--- a/detection-rules/attachment_url_with_unc_path.yml
+++ b/detection-rules/attachment_url_with_unc_path.yml
@@ -13,7 +13,11 @@ source: |
or any(.scan.strings.strings, regex.icontains(., '%5C%5C([a-zA-Z0-9_:%.$-]+)%5C([a-zA-Z0-9_:%.$-]+)')) // percent-encoded UNC paths
)
)
-tags:
- - "Suspicious attachment"
- - "Windows exploit"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+ - "LNK"
+detection_methods:
+ - "File analysis"
id: "3b7ee0fb-3540-51b6-a5db-9b21fdd3c9af"
diff --git a/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml
index 888f76a77b7..d4ba1a6a1c0 100644
--- a/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml
+++ b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml
@@ -1,7 +1,7 @@
name: "Attachment with auto-executing macro (unsolicited)"
description: |
Attachment from an unsolicited sender contains a macro that will auto-execute when the file is opened.
-
+
Macros are a common phishing technique used to deploy malware.
references:
- "https://www.trustedsec.com/blog/malicious-macros-for-script-kiddies/"
@@ -23,7 +23,21 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious attachment"
+
+ // negate replies
+ and (
+ length(headers.references) == 0
+ or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+ )
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "Macros"
+detection_methods:
+ - "Archive analysis"
+ - "Header analysis"
+ - "File analysis"
+ - "Macro analysis"
+ - "OLE analysis"
+ - "Sender analysis"
id: "af6624c3-2a28-5fbb-8936-fb29e55dd29d"
diff --git a/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml
index 988f8865253..37dfcf5b083 100644
--- a/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml
+++ b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml
@@ -26,7 +26,13 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "Macros"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "Macro analysis"
+ - "Sender analysis"
id: "d48b3e53-dee4-546b-b81a-0c781929fdfb"
diff --git a/detection-rules/attachment_vba_macro_calling_executable.yml b/detection-rules/attachment_vba_macro_calling_executable.yml
index ca1032e06a8..ca8f74e4bcd 100644
--- a/detection-rules/attachment_vba_macro_calling_executable.yml
+++ b/detection-rules/attachment_vba_macro_calling_executable.yml
@@ -13,7 +13,12 @@ source: |
and any(file.explode(.),
any(.scan.vba.hex, strings.ilike(., "*exe*")))
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
- "Macros"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
id: "5ee6a197-eea0-505a-a4d9-24addaf23d3c"
diff --git a/detection-rules/attachment_vba_macro_employee_impersonation.yml b/detection-rules/attachment_vba_macro_employee_impersonation.yml
index d6826b1432d..64fa45578d8 100644
--- a/detection-rules/attachment_vba_macro_employee_impersonation.yml
+++ b/detection-rules/attachment_vba_macro_employee_impersonation.yml
@@ -1,7 +1,7 @@
name: "Attachment with VBA macros from employee impersonation (unsolicited)"
description: |
Attachment contains a VBA macro from a sender your organization has never sent an email to.
-
+
Sender is using a display name that matches the display name of someone in
your organization.
@@ -27,10 +27,15 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Impersonation: Employee"
- "Macros"
- - "Unsolicited"
- - "Suspicious sender"
- - "Employee impersonation"
+ - "Social engineering"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "Macro analysis"
+ - "Sender analysis"
id: "9b262123-9010-5245-89a7-9ebd75333b2a"
diff --git a/detection-rules/attachment_vba_macro_high_risk.yml b/detection-rules/attachment_vba_macro_high_risk.yml
index c663ed6ec92..56be092673d 100644
--- a/detection-rules/attachment_vba_macro_high_risk.yml
+++ b/detection-rules/attachment_vba_macro_high_risk.yml
@@ -21,7 +21,13 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "Macros"
+detection_methods:
+ - "File analysis"
+ - "Macro analysis"
+ - "OLE analysis"
+ - "Sender analysis"
id: "a2b20e16-b363-50f1-92a5-ee6c41012118"
diff --git a/detection-rules/attachment_with_encrypted_zip_unsolicited.yml b/detection-rules/attachment_with_encrypted_zip_unsolicited.yml
index 9ee26a8fac6..c81f3e21e0b 100644
--- a/detection-rules/attachment_with_encrypted_zip_unsolicited.yml
+++ b/detection-rules/attachment_with_encrypted_zip_unsolicited.yml
@@ -20,6 +20,13 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "Encryption"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "Sender analysis"
id: "697c87ae-943d-54a0-a41b-ba1667147e03"
diff --git a/detection-rules/attachment_with_suspicious_author_unsolicited.yml b/detection-rules/attachment_with_suspicious_author_unsolicited.yml
index 845d0bdd9e5..5a9e5decc7f 100644
--- a/detection-rules/attachment_with_suspicious_author_unsolicited.yml
+++ b/detection-rules/attachment_with_suspicious_author_unsolicited.yml
@@ -19,6 +19,9 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+detection_methods:
+ - "File analysis"
+ - "Sender analysis"
id: "40f518b9-88a2-59c5-8f6a-54bfd0fdf209"
diff --git a/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml b/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml
index 5caa3cb3b18..f8204c292ae 100644
--- a/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml
+++ b/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml
@@ -23,6 +23,14 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious attachment"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Encryption"
+ - "Evasion"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "Sender analysis"
+ - "YARA"
id: "529d4a9a-ffa7-5a53-a065-df244ec67e7a"
diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml
index 4019a8c128b..18e7cea6a04 100644
--- a/detection-rules/body_business_email_compromise_new_sender.yml
+++ b/detection-rules/body_business_email_compromise_new_sender.yml
@@ -1,6 +1,6 @@
name: "Body: Business Email Compromise (BEC) attempt from first-time sender"
description: |
- Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from first-time senders.
+ Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from first-time senders.
type: "rule"
severity: "medium"
source: |
@@ -22,9 +22,13 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Machine Learning"
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
- "Natural Language Understanding"
- - "Suspicious sender"
- - "Business Email Compromise"
+ - "Sender analysis"
id: "96d4c35a-ca53-559e-9db3-349dbbdffc20"
diff --git a/detection-rules/body_business_email_compromise_unsolicited.yml b/detection-rules/body_business_email_compromise_unsolicited.yml
index 73d3205001f..56610cc6c3a 100644
--- a/detection-rules/body_business_email_compromise_unsolicited.yml
+++ b/detection-rules/body_business_email_compromise_unsolicited.yml
@@ -1,6 +1,6 @@
name: "Body: Business Email Compromise (BEC) attempt from unsolicited sender"
description: |
- Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders.
+ Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders.
type: "rule"
severity: "medium"
source: |
@@ -38,9 +38,14 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Machine Learning"
- - "Natural Language Understanding"
- - "Suspicious sender"
- - "Business Email Compromise"
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Social engineering"
+ - "Spoofing"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
+ - "Header analysis"
+ - "Sender analysis"
id: "57eccc45-0408-55ee-ae33-8203e166254a"
diff --git a/detection-rules/body_callback_phishing_no_attachment.yml b/detection-rules/body_callback_phishing_no_attachment.yml
index 1a35d0896d7..f537ce3ce84 100644
--- a/detection-rules/body_callback_phishing_no_attachment.yml
+++ b/detection-rules/body_callback_phishing_no_attachment.yml
@@ -18,7 +18,7 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-
+
and sender.email.domain.root_domain in $free_email_providers
and strings.ilike(body.plain.raw, "*mcafee*", "*norton*", "*geek squad*", "*paypal*", "*ebay*", "*symantec*", "*best buy*", "*lifelock*")
and 4 of (
@@ -35,7 +35,14 @@ source: |
strings.ilike(body.plain.raw, '*refund*'),
strings.ilike(body.plain.raw, '*+1*')
)
-tags:
+attack_types:
- "Callback Phishing"
- - "Customer service fraud"
+tactics_and_techniques:
+ - "Free email provider"
+ - "Impersonation: Brand"
+ - "Out of band pivot"
+ - "Social engineering"
+detection_methods:
+ - "File analysis"
+ - "Sender analysis"
id: "10a3a446-c70f-5843-a4e4-4d815d33fcb1"
diff --git a/detection-rules/body_extortion.yml b/detection-rules/body_extortion.yml
index 7d08f96cfe6..62fb414bdda 100644
--- a/detection-rules/body_extortion.yml
+++ b/detection-rules/body_extortion.yml
@@ -1,7 +1,7 @@
name: "Extortion / sextortion (first-time sender)"
description: |
- Detects extortion and sextortion attempts by analyzing the email body text from a first-time sender.
-references:
+ Detects extortion and sextortion attempts by analyzing the email body text from a first-time sender.
+references:
- "https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/"
type: "rule"
severity: "low"
@@ -28,10 +28,14 @@ source: |
// many extortion emails spoof sender domains and fail sender authentication
or any(headers.hops, .authentication_results.dmarc == "fail")
)
-
-tags:
- - "Machine Learning"
- - "Natural Language Understanding"
+attack_types:
- "Extortion"
- - "Sextortion"
+tactics_and_techniques:
+ - "Social engineering"
+ - "Spoofing"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
+ - "Natural Language Understanding"
+ - "Sender analysis"
id: "265913eb-2ccd-5f77-9a09-f6d8539fd2f6"
diff --git a/detection-rules/body_html_callback_phishing_no_attachment.yml b/detection-rules/body_html_callback_phishing_no_attachment.yml
index 9cb24d4f6c3..2241ffac3b7 100644
--- a/detection-rules/body_html_callback_phishing_no_attachment.yml
+++ b/detection-rules/body_html_callback_phishing_no_attachment.yml
@@ -6,37 +6,45 @@ description: |
type: "rule"
severity: "medium"
source: |
- type.inbound
- and length(attachments) == 0
- and (
- (
- sender.email.domain.root_domain in $free_email_providers
- and sender.email.email not in $recipient_emails
- )
- or (
- sender.email.domain.root_domain not in $free_email_providers
- and sender.email.domain.domain not in $recipient_domains
- )
- )
-
- and sender.email.domain.root_domain in $free_email_providers
- and any([body.html.inner_text], strings.ilike(., "*mcafee*", "*norton*", "*geek squad*", "*paypal*", "*ebay*", "*symantec*", "*best buy*", "*lifelock*"))
- and any([body.html.inner_text], strings.ilike(., "*+1*"))
+ type.inbound
+ and length(attachments) == 0
+ and (
+ (
+ sender.email.domain.root_domain in $free_email_providers
+ and sender.email.email not in $recipient_emails
+ )
+ or (
+ sender.email.domain.root_domain not in $free_email_providers
+ and sender.email.domain.domain not in $recipient_domains
+ )
+ )
+
+ and sender.email.domain.root_domain in $free_email_providers
+ and any([body.html.inner_text], strings.ilike(., "*mcafee*", "*norton*", "*geek squad*", "*paypal*", "*ebay*", "*symantec*", "*best buy*", "*lifelock*"))
+ and any([body.html.inner_text], strings.ilike(., "*+1*"))
- and 4 of (
- strings.ilike(body.html.inner_text, '*purchase*'),
- strings.ilike(body.html.inner_text, '*subscription*'),
- strings.ilike(body.html.inner_text, '*antivirus*'),
- strings.ilike(body.html.inner_text, '*order*'),
- strings.ilike(body.html.inner_text, '*support*'),
- strings.ilike(body.html.inner_text, '*receipt*'),
- strings.ilike(body.html.inner_text, '*invoice*'),
- strings.ilike(body.html.inner_text, '*call*'),
- strings.ilike(body.html.inner_text, '*cancel*'),
- strings.ilike(body.html.inner_text, '*renew*'),
- strings.ilike(body.html.inner_text, '*refund*')
- )
-tags:
+ and 4 of (
+ strings.ilike(body.html.inner_text, '*purchase*'),
+ strings.ilike(body.html.inner_text, '*subscription*'),
+ strings.ilike(body.html.inner_text, '*antivirus*'),
+ strings.ilike(body.html.inner_text, '*order*'),
+ strings.ilike(body.html.inner_text, '*support*'),
+ strings.ilike(body.html.inner_text, '*receipt*'),
+ strings.ilike(body.html.inner_text, '*invoice*'),
+ strings.ilike(body.html.inner_text, '*call*'),
+ strings.ilike(body.html.inner_text, '*cancel*'),
+ strings.ilike(body.html.inner_text, '*renew*'),
+ strings.ilike(body.html.inner_text, '*refund*')
+ )
+attack_types:
- "Callback Phishing"
- - "Customer service fraud"
+tactics_and_techniques:
+ - "Free email provider"
+ - "Impersonation: Brand"
+ - "Out of band pivot"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Sender analysis"
+ - "URL analysis"
id: "afe5dec2-1ec0-505e-b5dd-768144d71bec"
diff --git a/detection-rules/body_html_smuggling_atob_in_body.yml b/detection-rules/body_html_smuggling_atob_in_body.yml
index e2ef2a67068..6641ceb145e 100644
--- a/detection-rules/body_html_smuggling_atob_in_body.yml
+++ b/detection-rules/body_html_smuggling_atob_in_body.yml
@@ -1,5 +1,5 @@
name: "HTML smuggling with atob in message body"
-description: |
+description: |
Detects if the email body HTML contains the document write or insertAdjacentHTML method and atob function call.
This technique has been observed leading to credential phishing.
type: "rule"
@@ -8,7 +8,12 @@ source: |
type.inbound
and (length(body.plain.raw) < 200 or body.plain.raw is null)
and regex.icontains(body.html.raw, "document.{0,10}(write|insertAdjacentHTML).{0,10}atob")
-tags:
- - "Suspicious body"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "HTML smuggling"
+detection_methods:
+ - "Content analysis"
+ - "HTML analysis"
id: "0f86851f-3ec4-50b6-ba1a-cba096642d0e"
diff --git a/detection-rules/body_job_scam_new_sender.yml b/detection-rules/body_job_scam_new_sender.yml
index 88dea7186e0..7e4c12ace6f 100644
--- a/detection-rules/body_job_scam_new_sender.yml
+++ b/detection-rules/body_job_scam_new_sender.yml
@@ -1,6 +1,6 @@
name: "Job Scam (first-time sender)"
description: |
- Detects job scam attempts by analyzing the email body text from a first-time sender.
+ Detects job scam attempts by analyzing the email body text from a first-time sender.
type: "rule"
severity: "low"
source: |
@@ -25,10 +25,13 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-
-tags:
- - "Machine Learning"
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
- "Natural Language Understanding"
- - "Scam"
- - "Suspicious sender"
+ - "Sender analysis"
id: "a37dc32d-33a4-5097-a585-ff6c345d0ecc"
diff --git a/detection-rules/body_microsoft_logo_bing_redirect.yml b/detection-rules/body_microsoft_logo_bing_redirect.yml
index c10b1517d33..cb7058d8f47 100644
--- a/detection-rules/body_microsoft_logo_bing_redirect.yml
+++ b/detection-rules/body_microsoft_logo_bing_redirect.yml
@@ -43,12 +43,12 @@ source: |
)
)
)
-
+
// Bing redirect
and any(body.links, .href_url.domain.root_domain == 'bing.com' and .href_url.path =~ '/ck/a')
-
+
and sender.email.domain.root_domain not in $org_domains
-
+
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
@@ -60,8 +60,17 @@ source: |
"sharepointonline.com",
"yammer.com"
)
-tags:
- - "Suspicious content"
- - "Brand impersonation"
- - "Suspicious link"
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Open redirect"
+ - "Social engineering"
+detection_methods:
+ - "Computer Vision"
+ - "Content analysis"
+ - "Header analysis"
+ - "Natural Language Understanding"
+ - "Sender analysis"
+ - "URL analysis"
id: "27b8d8d8-a117-5d34-b4b0-9adb7c7c971e"
diff --git a/detection-rules/body_unicode_slashes_in_url.yml b/detection-rules/body_unicode_slashes_in_url.yml
index 045125689bc..5dfe4f3fe9f 100644
--- a/detection-rules/body_unicode_slashes_in_url.yml
+++ b/detection-rules/body_unicode_slashes_in_url.yml
@@ -13,6 +13,12 @@ source: |
regex.icontains(body.plain.raw, 'https?:\/\/[^\s⁄∕]+(?:\/[^\s⁄∕]+)*[⁄∕][^\s⁄∕]+') or
any(body.links, regex.icontains(.href_url.url,'https?:\/\/[^\s⁄∕]+(?:\/[^\s⁄∕]+)*[⁄∕][^\s⁄∕]+'))
)
-tags:
- - "Suspicious Link"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "URL analysis"
id: "12069f5b-a774-53ba-8473-633291f71e84"
diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
index 252ab8f624a..4aa91a9de3c 100644
--- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml
+++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
@@ -1,37 +1,42 @@
name: "Callback Phishing NLU body or attachment from first-time sender"
description: |
- Detects callback scams by analyzing text within images of receipts or invoices from first time senders.
+ Detects callback scams by analyzing text within images of receipts or invoices from first time senders.
type: "rule"
severity: "medium"
source: |
- type.inbound
- and (
- any(attachments, .file_type in ("png", "jpg", "pdf")
- and any(file.explode(.),
- any(ml.nlu_classifier(.scan.ocr.raw).intents,
- .name == "callback_scam" and .confidence == "high"
- )
+ type.inbound
+ and (
+ any(attachments,
+ .file_type in ("png", "jpg", "pdf")
+ and any(file.explode(.),
+ any(ml.nlu_classifier(.scan.ocr.raw).intents,
+ .name == "callback_scam" and .confidence == "high"
+ )
+ )
+ )
+ or any(ml.nlu_classifier(body.current_thread.text).intents,
+ .name in ("callback_scam") and .confidence == "high"
)
)
- or
- any(ml.nlu_classifier(coalesce(
- body.html.display_text, body.plain.raw)).intents,
- .name in ("callback_scam") and .confidence == "high"
- )
- )
- and (
- (
- sender.email.domain.root_domain in $free_email_providers
- and sender.email.email not in $sender_emails
- )
- or (
- sender.email.domain.root_domain not in $free_email_providers
- and sender.email.domain.domain not in $sender_domains
+ and (
+ (
+ sender.email.domain.root_domain in $free_email_providers
+ and sender.email.email not in $sender_emails
+ )
+ or (
+ sender.email.domain.root_domain not in $free_email_providers
+ and sender.email.domain.domain not in $sender_domains
+ )
)
- )
-tags:
- - "Machine Learning"
- - "Customer service fraud"
- - "Natural Language Understanding"
+attack_types:
- "Callback Phishing"
+tactics_and_techniques:
+ - "Out of band pivot"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
+ - "Optical Character Recognition"
+ - "Natural Language Understanding"
+ - "Sender analysis"
id: "b93c6f94-c9a3-587a-8eb5-6856754f8222"
diff --git a/detection-rules/cve_2021_40444_external_relationship.yml b/detection-rules/cve_2021_40444_external_relationship.yml
index 97c39d974f4..d98db979cbb 100644
--- a/detection-rules/cve_2021_40444_external_relationship.yml
+++ b/detection-rules/cve_2021_40444_external_relationship.yml
@@ -29,7 +29,17 @@ source: |
)
)
tags:
- - "Suspicious attachment"
- "CVE-2021-40444"
- - "Office exploit"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Exploit"
+ - "Macros"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "Macro analysis"
+ - "OLE analysis"
id: "8cefcf7f-2a48-5102-9b09-8db995759223"
diff --git a/detection-rules/disposable_sender_unsolicited.yml b/detection-rules/disposable_sender_unsolicited.yml
index 4cead019139..0da99bbf41f 100644
--- a/detection-rules/disposable_sender_unsolicited.yml
+++ b/detection-rules/disposable_sender_unsolicited.yml
@@ -8,6 +8,6 @@ source: |-
type.inbound
and sender.email.domain.root_domain in $disposable_email_providers
and sender.email.email not in $recipient_emails
-tags:
- - "Suspicious sender"
+detection_methods:
+ - "Sender analysis"
id: "5436b3db-3f17-5100-8136-1d03fc221fca"
diff --git a/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml b/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml
index 7bc9c94cc58..bedb767f21f 100644
--- a/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml
+++ b/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml
@@ -17,9 +17,12 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "File sharing link"
- - "Suspicious link"
- - "Suspicious sender"
- - "Spam"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Free file host"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "95f20354-3091-537e-9fe0-80ea8b64913b"
diff --git a/detection-rules/file_sharing_link_suspicious_subject.yml b/detection-rules/file_sharing_link_suspicious_subject.yml
index cf4077a8441..ff3c735beee 100644
--- a/detection-rules/file_sharing_link_suspicious_subject.yml
+++ b/detection-rules/file_sharing_link_suspicious_subject.yml
@@ -19,8 +19,13 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "File sharing link"
- - "Suspicious link"
- - "Suspicious subject"
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Free file host"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
+ - "URL analysis"
id: "a306e2a6-addc-5e26-9be1-c146f37fd7f2"
diff --git a/detection-rules/headers_anonymousfox.yml b/detection-rules/headers_anonymousfox.yml
index fa8ddf64fb9..3b1e379309b 100644
--- a/detection-rules/headers_anonymousfox.yml
+++ b/detection-rules/headers_anonymousfox.yml
@@ -13,6 +13,11 @@ source: |
regex.icontains(.name, "X-Authenticated-Sender|X-Sender") and
regex.icontains(.value, "(anonymous|smtp)fox-"))
or regex.icontains(sender.email.email, "(anonymous|smtp)fox-"))
-tags:
- - "Suspicious headers"
+attack_types:
+ - "BEC/Fraud"
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "2506206e-b879-57fa-bcfd-95c66eb02db8"
diff --git a/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml b/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml
index fe567a322cc..782509a0586 100644
--- a/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml
+++ b/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml
@@ -7,18 +7,18 @@ type: "rule"
severity: "medium"
source: |
type.inbound
-
+
and any(recipients.to, .email.email == sender.email.email)
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
-
+
and length(body.links) == 0
-
+
and any(headers.reply_to,
.email.domain.domain in $free_email_providers
and not .email.domain.domain == sender.email.domain.domain
)
-
+
and (
(
sender.email.domain.root_domain in $free_email_providers
@@ -29,8 +29,12 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious sender"
- - "Suspicious headers"
- - "Business Email Compromise"
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Evasion"
+ - "Free email provider"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "682191bf-a623-5f03-a497-9b8590535697"
diff --git a/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml b/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml
index 8750cbbc14a..c0360a0682b 100644
--- a/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml
+++ b/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml
@@ -4,21 +4,32 @@ type: "rule"
severity: "medium"
source: |
type.inbound
- and any(ml.nlu_classifier(coalesce(
- body.html.display_text, body.plain.raw)).intents,
- .name in ("bec") and .confidence in ("medium", "high")
+ and any(ml.nlu_classifier(body.current_thread.text).intents,
+ .name in ("bec") and .confidence in ("medium", "high")
)
and (
headers.return_path.domain.root_domain in $free_email_providers
or (
length(headers.reply_to) > 0
- and all(headers.reply_to,
- .email.domain.root_domain in $free_email_providers)
+ and all(headers.reply_to, .email.domain.root_domain in $free_email_providers)
+ )
+ )
+ and not (
+ sender.email.domain.root_domain == "paypal.com"
+ and any(distinct(headers.hops, .authentication_results.dmarc is not null),
+ strings.ilike(.authentication_results.dmarc, "*pass")
)
)
and sender.email.domain.root_domain not in $free_email_providers
-tags:
- - "Suspicious sender"
- - "Business Email Compromise"
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Evasion"
+ - "Free email provider"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
- "Natural Language Understanding"
+ - "Sender analysis"
id: "83e5e2df-7049-5990-b20d-1ff6bc6fd6f0"
diff --git a/detection-rules/headers_invalid_ios_build.yml b/detection-rules/headers_invalid_ios_build.yml
index 4b7fa27f9cb..1f962733e94 100644
--- a/detection-rules/headers_invalid_ios_build.yml
+++ b/detection-rules/headers_invalid_ios_build.yml
@@ -7,7 +7,12 @@ source: |
type.inbound
and regex.contains(headers.mailer, '(iPad|iPhone) Mail')
and not regex.contains(headers.mailer, '(iPad|iPhone) Mail \([0-9]{2}')
-tags:
- - "Suspicious headers"
- - "Suspicious sender"
+attack_types:
+ - "BEC/Fraud"
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Header analysis"
id: "e0b74072-3210-5511-9ad9-2c945ab28abb"
diff --git a/detection-rules/headers_php_mailer_with_common_phishing_attachments.yml b/detection-rules/headers_php_mailer_with_common_phishing_attachments.yml
index adb5df9970d..ea173528ddf 100644
--- a/detection-rules/headers_php_mailer_with_common_phishing_attachments.yml
+++ b/detection-rules/headers_php_mailer_with_common_phishing_attachments.yml
@@ -11,7 +11,10 @@ source: |
type.inbound
and strings.ilike(headers.mailer, '*phpmailer*')
and any(attachments, .file_name in~ ('image.png', 'name.png', 'use.png'))
-tags:
- - "Suspicious attachment"
- - "PHP mailer"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Image as content"
+detection_methods:
+ - "Header analysis"
id: "07e03563-88f6-5d2f-8730-7d17f860ba14"
diff --git a/detection-rules/headers_replyto_new_domain_nlu_request.yml b/detection-rules/headers_replyto_new_domain_nlu_request.yml
index 23f5616fb1f..c477612dfd6 100644
--- a/detection-rules/headers_replyto_new_domain_nlu_request.yml
+++ b/detection-rules/headers_replyto_new_domain_nlu_request.yml
@@ -46,8 +46,15 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Vendor impersonation"
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
- "Natural Language Understanding"
- - "New domain"
+ - "Sender analysis"
+ - "URL analysis"
+ - "Whois"
id: "db4d9bb3-0eca-5525-9a99-7c1c773b580f"
diff --git a/detection-rules/headers_russia_return_path.yml b/detection-rules/headers_russia_return_path.yml
index 23356c7d392..1e3c6025da9 100644
--- a/detection-rules/headers_russia_return_path.yml
+++ b/detection-rules/headers_russia_return_path.yml
@@ -17,7 +17,11 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Suspicious headers"
-
+attack_types:
+ - "BEC/Fraud"
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "588b3954-c03a-57fb-b5a4-abf993a8c003"
diff --git a/detection-rules/headers_sendgrid_onmicrosoft.yml b/detection-rules/headers_sendgrid_onmicrosoft.yml
index bb309b8d40b..b8daac8b4de 100644
--- a/detection-rules/headers_sendgrid_onmicrosoft.yml
+++ b/detection-rules/headers_sendgrid_onmicrosoft.yml
@@ -9,6 +9,10 @@ source: |
type.inbound and
headers.return_path.domain.domain == "sendgrid.net" and
sender.email.domain.root_domain == "onmicrosoft.com"
-tags:
- - "Suspicious headers"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Header analysis"
id: "271f4ae9-9681-5d61-a94d-8fa714db826d"
diff --git a/detection-rules/headers_spf_temp_error.yml b/detection-rules/headers_spf_temp_error.yml
index f3734667407..d237245ed1e 100644
--- a/detection-rules/headers_spf_temp_error.yml
+++ b/detection-rules/headers_spf_temp_error.yml
@@ -14,6 +14,8 @@ severity: "medium"
source: |
type.inbound
and any(headers.hops, any(.fields, strings.ilike(.name, "Received-SPF") and strings.ilike(.value, "*spf=temperror*")))
-tags:
- - "Suspicious headers"
+tactics_and_techniques:
+ - "Spoofing"
+detection_methods:
+ - "Header analysis"
id: "2df7e839-8ffb-5d84-ac87-a45239d0d24b"
diff --git a/detection-rules/headers_voicemail_sendgrid.yml b/detection-rules/headers_voicemail_sendgrid.yml
index 0c455dcbabd..149daddbc12 100644
--- a/detection-rules/headers_voicemail_sendgrid.yml
+++ b/detection-rules/headers_voicemail_sendgrid.yml
@@ -9,6 +9,11 @@ source: |
type.inbound
and headers.return_path.domain.domain == 'sendgrid.net'
and strings.ilike(subject.subject, '*voicemail*', '*voice message*')
-tags:
- - "Suspicious headers"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
id: "21cad89c-55e0-5cf1-8677-bf0242633a82"
diff --git a/detection-rules/headers_zimbra_mailer_unsupported_os_versions.yml b/detection-rules/headers_zimbra_mailer_unsupported_os_versions.yml
index b00f78cb53e..d471fa194af 100644
--- a/detection-rules/headers_zimbra_mailer_unsupported_os_versions.yml
+++ b/detection-rules/headers_zimbra_mailer_unsupported_os_versions.yml
@@ -8,6 +8,6 @@ source: |
type.inbound
and strings.starts_with(headers.mailer, "Zimbra")
and regex.icontains(headers.mailer, '\b(5\.1|6\.1)\.\d{4}\b')
-tags:
- - "Suspicious sender"
+detection_methods:
+ - "Header analysis"
id: "d23e694f-a23d-5730-9a04-29629f2e6696"
diff --git a/detection-rules/impersonation_adp.yml b/detection-rules/impersonation_adp.yml
index 87c6e792dae..f42224d5045 100644
--- a/detection-rules/impersonation_adp.yml
+++ b/detection-rules/impersonation_adp.yml
@@ -10,7 +10,12 @@ source: |
and sender.display_name in~ ('RS-Plan-Admin@adp.com','ADP','SecurityServices_NoReply@adp.com')
and sender.email.domain.root_domain not in~ ('adp.com', 'adpsurveys.com')
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "bb9cf46b-188e-58f5-996e-b35caf2423a2"
diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml
index 8ebdcaa4fec..40e073c96a3 100644
--- a/detection-rules/impersonation_amazon.yml
+++ b/detection-rules/impersonation_amazon.yml
@@ -40,11 +40,17 @@ source: |
'amazon.com.tr',
'amazonpay.in',
'amazonpay.com',
+ 'q4inc.com',
'synchronybank.com',
)
and sender.email.email not in $recipient_emails
and sender.email.domain.domain not in $org_domains
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "13fc967d-4cc6-501d-9637-8c0761a1a354"
diff --git a/detection-rules/impersonation_amazon_suspicious_text.yml b/detection-rules/impersonation_amazon_suspicious_text.yml
new file mode 100644
index 00000000000..537fd7cd1f3
--- /dev/null
+++ b/detection-rules/impersonation_amazon_suspicious_text.yml
@@ -0,0 +1,75 @@
+name: "Brand impersonation: Amazon with suspicious attachment"
+description: |
+ Impersonation of Amazon. These are most commonly fake shipping notifications.
+ Amazon is the #2 most-impersonated brand (as of Q2 2020)
+references:
+ - "https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams"
+ - "https://sellercentral.amazon.com/gp/help/external/32261?language=en-US"
+type: "rule"
+severity: "medium"
+source: |
+ type.inbound
+ and strings.ilike(sender.display_name, "amazon*")
+ and any(attachments, .file_type in ("pdf", "jpg", "jpeg", "png")
+ and any(ml.logo_detect(.).brands,
+ .name == "Amazon" and .confidence in~ ("medium", "high")
+ )
+ and (
+ any(file.explode(.),
+ any(ml.nlu_classifier(.scan.ocr.raw).intents,
+ .name != "benign" and .confidence == "high"
+ )
+ )
+ or any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).intents,
+ .name != "benign" and .confidence == "high"
+ )
+ )
+ )
+ // unsolicited
+ and (
+ (
+ sender.email.domain.root_domain in $free_email_providers
+ and sender.email.email not in $recipient_emails
+ )
+ or (
+ sender.email.domain.root_domain not in $free_email_providers
+ and sender.email.domain.domain not in $recipient_domains
+ )
+ )
+ and sender.email.domain.root_domain not in~ (
+ 'amazon.com',
+ 'amazon.com.au',
+ 'amazon.co.uk',
+ 'amazon.de',
+ 'amazon.es',
+ 'amazon.fr',
+ 'amazon.it',
+ 'amazon.in',
+ 'amazon.lu',
+ 'amazon.com.au',
+ 'amazonsellerservices.com',
+ 'amazon.ae',
+ 'amazon.sa',
+ 'amazon.cn',
+ 'amazon.ca',
+ 'amazon.com.mx',
+ 'amazon.com.br',
+ 'amazon.sg',
+ 'amazon.com.tr',
+ 'amazonpay.in',
+ 'amazonpay.com',
+ 'synchronybank.com',
+ )
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Computer Vision"
+ - "File analysis"
+ - "Header analysis"
+ - "Natural Language Understanding"
+ - "Optical Character Recognition"
+ - "Sender analysis"
+id: "5751dcb9-071d-540b-9ec3-410d6aa80c11"
diff --git a/detection-rules/impersonation_amex.yml b/detection-rules/impersonation_amex.yml
index 1185c91cbcb..8cad2868b4b 100644
--- a/detection-rules/impersonation_amex.yml
+++ b/detection-rules/impersonation_amex.yml
@@ -15,7 +15,13 @@ source: |
and sender.email.domain.root_domain not in ('aexp.com','americanexpress.com', 'americanexpress.co.uk', 'aexpfeedback.com', 'amexnetwork.com', 'accountonline.com', 'transunion.com', 'amexgiftcard.com', 'amexgbt.com')
and sender.email.domain.domain not in ('accountprotection.microsoft.com')
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "992a9fa9-84ee-5065-8486-b3a2a8ffa676"
diff --git a/detection-rules/impersonation_apple.yml b/detection-rules/impersonation_apple.yml
index e44dd8a97b8..c341f889b6f 100644
--- a/detection-rules/impersonation_apple.yml
+++ b/detection-rules/impersonation_apple.yml
@@ -13,7 +13,12 @@ source: |
)
and sender.email.domain.root_domain !~ 'apple.com'
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "0b17f2c2-e100-5d51-b53e-ee3da0431f1d"
diff --git a/detection-rules/impersonation_bank_of_america.yml b/detection-rules/impersonation_bank_of_america.yml
index 3b12bf58530..7487e05a17d 100644
--- a/detection-rules/impersonation_bank_of_america.yml
+++ b/detection-rules/impersonation_bank_of_america.yml
@@ -14,7 +14,13 @@ source: |
)
and sender.email.domain.root_domain not in~ ('bankofamerica.com', 'transunion.com', 'bofa.com')
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "d2fc6ea1-0c8d-57e0-bcaa-732a2e6b76e4"
diff --git a/detection-rules/impersonation_barracuda.yml b/detection-rules/impersonation_barracuda.yml
index 8d17082e960..f8e419f29d0 100644
--- a/detection-rules/impersonation_barracuda.yml
+++ b/detection-rules/impersonation_barracuda.yml
@@ -22,7 +22,13 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "583fd5eb-ebd1-5753-944c-1d85f2a82348"
diff --git a/detection-rules/impersonation_binance.yml b/detection-rules/impersonation_binance.yml
index f6e73b6236a..33be6a6de61 100644
--- a/detection-rules/impersonation_binance.yml
+++ b/detection-rules/impersonation_binance.yml
@@ -33,7 +33,18 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+tags:
+ - "Cryptocurrency"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
+ - "HTML analysis"
+ - "Natural Language Understanding"
+ - "Sender analysis"
id: "c3302a76-ff5f-5619-b806-2bfec382f588"
diff --git a/detection-rules/impersonation_blockchain.yml b/detection-rules/impersonation_blockchain.yml
index d1d8760bd45..fd59c27b031 100644
--- a/detection-rules/impersonation_blockchain.yml
+++ b/detection-rules/impersonation_blockchain.yml
@@ -14,7 +14,13 @@ source: |
and any(distinct(headers.hops, .received_spf.verdict is not null), strings.like(.received_spf.verdict, "*fail"))
and sender.email.domain.root_domain not in~ ('blockchain.com', 'wxblockchain.com', 'ai-blockchain.com', 'envisionblockchain.com')
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "0d85e555-bf7c-50a9-afba-de3c67818b6f"
diff --git a/detection-rules/impersonation_chase.yml b/detection-rules/impersonation_chase.yml
index 9c8edd043d9..3c1732303ac 100644
--- a/detection-rules/impersonation_chase.yml
+++ b/detection-rules/impersonation_chase.yml
@@ -16,9 +16,16 @@ source: |
or strings.ilevenshtein(sender.display_name, 'united mileageplus') <= 2
or strings.ilevenshtein(sender.display_name, 'echase') <= 2
)
+ and sender.display_name not in ("Chaser")
and sender.email.domain.root_domain not in~ ('chase.com', 'united.com', 'transunion.com')
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "c680f1e7-01b9-5b95-897b-65957f4a57aa"
diff --git a/detection-rules/impersonation_coinbase.yml b/detection-rules/impersonation_coinbase.yml
index 2bf431822bf..cd6b5a13235 100644
--- a/detection-rules/impersonation_coinbase.yml
+++ b/detection-rules/impersonation_coinbase.yml
@@ -29,6 +29,14 @@ source: |
)
)
tags:
- - "Brand impersonation"
- - "Suspicious sender"
+ - "Cryptocurrency"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "3dca757a-fb21-53c0-ac17-b0f110e8db60"
diff --git a/detection-rules/impersonation_dhl.yml b/detection-rules/impersonation_dhl.yml
index bb376f9f0ff..d5cd44d8299 100644
--- a/detection-rules/impersonation_dhl.yml
+++ b/detection-rules/impersonation_dhl.yml
@@ -25,7 +25,13 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5"
diff --git a/detection-rules/impersonation_digital_ocean.yml b/detection-rules/impersonation_digital_ocean.yml
index 116804a606e..a3ca8088647 100644
--- a/detection-rules/impersonation_digital_ocean.yml
+++ b/detection-rules/impersonation_digital_ocean.yml
@@ -12,7 +12,13 @@ source: |
)
and sender.email.domain.root_domain !~ 'digitalocean.com'
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "7f2f0e97-b89f-54dd-9167-cbf1e55b112b"
diff --git a/detection-rules/impersonation_docusign.yml b/detection-rules/impersonation_docusign.yml
index fbd7000378a..2af461dce5a 100644
--- a/detection-rules/impersonation_docusign.yml
+++ b/detection-rules/impersonation_docusign.yml
@@ -62,7 +62,15 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Brand impersonation"
- - "DocuSign"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+ - "Spoofing"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
+ - "URL analysis"
id: "4d29235c-08b9-5f9b-950e-60b05c4691fb"
diff --git a/detection-rules/impersonation_domain_replyto_freemail_lookalike_financial_request.yml b/detection-rules/impersonation_domain_replyto_freemail_lookalike_financial_request.yml
index 2c92c535988..09a34f1c365 100644
--- a/detection-rules/impersonation_domain_replyto_freemail_lookalike_financial_request.yml
+++ b/detection-rules/impersonation_domain_replyto_freemail_lookalike_financial_request.yml
@@ -24,9 +24,14 @@ source: |
and any(ml.nlu_classifier(.).intents, .name != "benign")
)
)
-tags:
- - "Domain Impersonation"
- - "Suspicious ReplyTo"
- - "Machine Learning"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Free email provider"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
- "Natural Language Understanding"
+ - "Sender analysis"
id: "43026a40-4285-51a7-a42e-f08b9ee41b97"
diff --git a/detection-rules/impersonation_dropbox.yml b/detection-rules/impersonation_dropbox.yml
index 2bc4d671335..870e402b031 100644
--- a/detection-rules/impersonation_dropbox.yml
+++ b/detection-rules/impersonation_dropbox.yml
@@ -17,7 +17,14 @@ source: |
)
)
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
+ - "Header analysis"
+ - "Sender analysis"
id: "61f11d12-7033-53c9-a95a-df982ff31c4b"
diff --git a/detection-rules/impersonation_employee_payroll_fraud.yml b/detection-rules/impersonation_employee_payroll_fraud.yml
index 55d7d741d01..c8e01b2286f 100644
--- a/detection-rules/impersonation_employee_payroll_fraud.yml
+++ b/detection-rules/impersonation_employee_payroll_fraud.yml
@@ -14,7 +14,7 @@ source: |
or
sender.email.domain.root_domain in $free_email_providers
)
-
+
and 1 of (
regex.icontains(body.plain.raw, '(pay\s?(roll|check|date|day)|direct deposit|\bdd\b|gehalt|salario|salary)'),
regex.icontains(body.html.inner_text, '(pay\s?(roll|check|date|day)|direct deposit|\bdd\b|gehalt|salario|salary)'),
@@ -30,7 +30,13 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Payroll fraud"
- - "Employee impersonation"
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Impersonation: Employee"
+ - "Free email provider"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Sender analysis"
id: "2beb7d85-dfe3-5ecc-9b2a-d7416a3ef992"
diff --git a/detection-rules/impersonation_employee_subject.yml b/detection-rules/impersonation_employee_subject.yml
index d9009361063..d46d07f0d5a 100644
--- a/detection-rules/impersonation_employee_subject.yml
+++ b/detection-rules/impersonation_employee_subject.yml
@@ -1,6 +1,6 @@
name: "BEC: Employee impersonation with subject manipulation"
description: |
- Subject matches the display name of someone in your organization, and the body resembles a BEC attack.
+ Subject matches the display name of someone in your organization, and the body resembles a BEC attack.
type: "rule"
severity: "medium"
source: |
@@ -29,10 +29,13 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Employee impersonation"
- - "Suspicious sender"
- - "Machine Learning"
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Impersonation: Employee"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
- "Natural Language Understanding"
- - "Business Email Compromise"
+ - "Sender analysis"
id: "9adfc77b-cabe-5ef8-b1ed-6ad5d682447f"
diff --git a/detection-rules/impersonation_employee_urgent_request.yml b/detection-rules/impersonation_employee_urgent_request.yml
index caf165cfd2e..5c52c9b98f9 100644
--- a/detection-rules/impersonation_employee_urgent_request.yml
+++ b/detection-rules/impersonation_employee_urgent_request.yml
@@ -1,8 +1,8 @@
name: "Employee impersonation with urgent request (first-time sender)"
description: |
- Sender is using a display name that matches the display name of someone in your organization.
+ Sender is using a display name that matches the display name of someone in your organization.
- Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders.
+ Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders.
type: "rule"
severity: "medium"
source: |
@@ -33,9 +33,14 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Employee impersonation"
- - "Suspicious sender"
- - "Machine Learning"
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Impersonation: Employee"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
- "Natural Language Understanding"
+ - "Sender analysis"
id: "1ce9a146-1293-531e-bb02-0af7ad1b018e"
diff --git a/detection-rules/impersonation_exodus.yml b/detection-rules/impersonation_exodus.yml
index b47e1938e70..4704dc61445 100644
--- a/detection-rules/impersonation_exodus.yml
+++ b/detection-rules/impersonation_exodus.yml
@@ -15,6 +15,14 @@ source: |
or any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).entities, .text == "wallet")
)
tags:
- - "Brand impersonation"
- "Cryptocurrency"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Natural Language Understanding"
+ - "Sender analysis"
id: "40c77ecc-782d-595a-a042-7fe7e4d756ee"
diff --git a/detection-rules/impersonation_facebook.yml b/detection-rules/impersonation_facebook.yml
index 02a9f03b206..b27ebe9629d 100644
--- a/detection-rules/impersonation_facebook.yml
+++ b/detection-rules/impersonation_facebook.yml
@@ -15,7 +15,13 @@ source: |
)
and sender.email.domain.root_domain not in~ ('facebook.com','facebookmail.com', 'eventsatfacebook.com', 'facebookenterprise.com')
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"
diff --git a/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml b/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml
index f4ff77857fa..1834add8b97 100644
--- a/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml
+++ b/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml
@@ -2,49 +2,55 @@ name: "Fake Message Thread - First Time Sender with a Mismatched Freemail Reply-
description: |
Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility.
This is typically used in conjunction with a reply-to address that is not the same as the sender address.
-references:
+references:
- "https://playground.sublimesecurity.com?id=5ab9a225-4de3-494f-9a55-e16ec9e1e5c3"
type: "rule"
severity: "medium"
source: |
- type.inbound
+ type.inbound
- // First-time sender
- and (
- (
- sender.email.domain.root_domain in $free_email_providers
- and sender.email.email not in $sender_emails
- )
- or (
- sender.email.domain.root_domain not in $free_email_providers
- and sender.email.domain.domain not in $sender_domains
- )
- )
+ // First-time sender
+ and (
+ (
+ sender.email.domain.root_domain in $free_email_providers
+ and sender.email.email not in $sender_emails
+ )
+ or (
+ sender.email.domain.root_domain not in $free_email_providers
+ and sender.email.domain.domain not in $sender_domains
+ )
+ )
- // Reply-to is a freemail sender but From is not
- and any(headers.reply_to,
- .email.domain.domain in $free_email_providers
- and not .email.domain.domain == sender.email.domain.domain
- )
+ // Reply-to is a freemail sender but From is not
+ and any(headers.reply_to,
+ .email.domain.domain in $free_email_providers
+ and not .email.domain.domain == sender.email.domain.domain
+ )
- // Exclude marketing emails
- and not strings.ilike(sender.email.local_part, "support", "sales", "noreply", "marketing")
+ // Exclude marketing emails
+ and not strings.ilike(sender.email.local_part, "support", "sales", "noreply", "marketing")
- // Check for Message Thread Indicators
- and (
- strings.istarts_with(subject.subject, "RE:")
- or any([body.plain.raw, body.html.display_text],
- regex.icontains(.,"From:[ a-z0-9<>_@\\.]{0,80}Sent:[ a-z0-9<>_@\\.:]{0,40}To:[ a-z0-9<>_@\\.;]{0,300}(Cc:)?.{0,300}Subject:")
- )
+ // Check for Message Thread Indicators
+ and (
+ strings.istarts_with(subject.subject, "RE:")
+ or any([body.plain.raw, body.html.display_text],
+ regex.icontains(.,"From:[ a-z0-9<>_@\\.]{0,80}Sent:[ a-z0-9<>_@\\.:]{0,40}To:[ a-z0-9<>_@\\.;]{0,300}(Cc:)?.{0,300}Subject:")
+ )
- )
+ )
- // Check for the Presence of References or In-Reply-To properties
- and (
- length(headers.references) == 0
- or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
- )
-tags:
- - "Contact impersonation"
- - "Fake Message Thread"
+ // Check for the Presence of References or In-Reply-To properties
+ and (
+ length(headers.references) == 0
+ or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+ )
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Free email provider"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
+ - "Sender analysis"
id: "ca64e819-576b-574a-abcc-63f1916e8a41"
diff --git a/detection-rules/impersonation_fake_shipping_notification.yml b/detection-rules/impersonation_fake_shipping_notification.yml
index 06cafd32acf..7b003eb09ba 100644
--- a/detection-rules/impersonation_fake_shipping_notification.yml
+++ b/detection-rules/impersonation_fake_shipping_notification.yml
@@ -1,7 +1,7 @@
name: "Fake shipping notification with link to free file hosting"
description: |
This rule detects spam emails impersonating FedEx, UPS, or USPS with links to free file hosting.
-references:
+references:
- "https://playground.sublimesecurity.com?id=64feb22a-03e8-4d8f-83f6-a828dc5e3540"
severity: "low"
type: "rule"
@@ -26,7 +26,14 @@ source: |
)
or sender.email.domain.valid == false
)
-tags:
+attack_types:
- "Spam"
- - "Brand impersonation"
+tactics_and_techniques:
+ - "Free file host"
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
+ - "Sender analysis"
id: "6d3fe05e-8ee6-586e-a2c6-60488ecf347a"
diff --git a/detection-rules/impersonation_fedex.yml b/detection-rules/impersonation_fedex.yml
index ce5e54f3af0..a6b9412cfac 100644
--- a/detection-rules/impersonation_fedex.yml
+++ b/detection-rules/impersonation_fedex.yml
@@ -15,7 +15,13 @@ source: |
// sedex.com is not affiliated with FedEx, but is an apparent FP
and sender.email.domain.root_domain not in~ ('fedex.com', 'sedex.com')
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "94a2b602-2bc1-5ea3-941e-752e3a2235cf"
diff --git a/detection-rules/impersonation_finra.yml b/detection-rules/impersonation_finra.yml
index 077d679bded..d31b31cae3e 100644
--- a/detection-rules/impersonation_finra.yml
+++ b/detection-rules/impersonation_finra.yml
@@ -25,7 +25,13 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "15c81db4-b3ba-5e9a-978c-194f77b56739"
diff --git a/detection-rules/impersonation_github.yml b/detection-rules/impersonation_github.yml
index 95532ee6232..138e6d21d85 100644
--- a/detection-rules/impersonation_github.yml
+++ b/detection-rules/impersonation_github.yml
@@ -25,7 +25,13 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "9402f92b-f2b1-5452-8124-fdad4a88feb4"
diff --git a/detection-rules/impersonation_google_via_msft_forms.yml b/detection-rules/impersonation_google_via_msft_forms.yml
index f955466bd32..c8890d2b6b5 100644
--- a/detection-rules/impersonation_google_via_msft_forms.yml
+++ b/detection-rules/impersonation_google_via_msft_forms.yml
@@ -14,7 +14,14 @@ source: |
any(body.links, .href_url.domain.root_domain not in $tranco_1m)
or strings.ilike(body.html.display_text, "*suspicious activities*", "*failure to secure*", "*loose your*", "*suspended*")
)
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
+ - "Sender analysis"
id: "1daac608-66f7-5d0a-ab0f-ff9902ddabb7"
diff --git a/detection-rules/impersonation_gusto.yml b/detection-rules/impersonation_gusto.yml
index 7ca3ec295d9..3c7312fe349 100644
--- a/detection-rules/impersonation_gusto.yml
+++ b/detection-rules/impersonation_gusto.yml
@@ -15,7 +15,15 @@ source: |
and .confidence in ("medium", "high"))
and sender.email.domain.root_domain !~ 'gusto.com'
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Computer vision"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Computer Vision"
+ - "Content analysis"
+ - "Header analysis"
+ - "Sender analysis"
id: "54025c1c-34bc-5cbf-97b8-d544806fc587"
diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml
index 0dc695bcd9c..b3496282108 100644
--- a/detection-rules/impersonation_human_resources.yml
+++ b/detection-rules/impersonation_human_resources.yml
@@ -6,9 +6,9 @@ source: |
type.inbound
and sender.email.domain.domain not in $org_domains
and regex.icontains(sender.display_name, '(\bh\W?r\W?\b|human resources|hr depart(ment)?|employee relations)')
-
+
and (length(body.links) > 0 or length(attachments) > 0)
-
+
// Request and Urgency
and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "request")
and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency")
@@ -19,8 +19,8 @@ source: |
)
or length(ml.nlu_classifier(body.html.inner_text).intents) == 0
)
-
-
+
+
and (
(
sender.email.domain.root_domain in $free_email_providers
@@ -32,6 +32,15 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Department impersonation"
+attack_types:
+ - "BEC/Fraud"
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Employee"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
+ - "Natural Language Understanding"
+ - "Sender analysis"
id: "8c95a6a8-50d3-5697-a379-c00bda8e1922"
diff --git a/detection-rules/impersonation_ledger.yml b/detection-rules/impersonation_ledger.yml
index 7f7a46c6019..0f5b09331be 100644
--- a/detection-rules/impersonation_ledger.yml
+++ b/detection-rules/impersonation_ledger.yml
@@ -38,7 +38,14 @@ source: |
)
)
tags:
- - "Brand impersonation"
- "Cryptocurrency"
- - "Ledger"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "5f934755-cd03-5f4c-a5bd-a8899e7108c1"
diff --git a/detection-rules/impersonation_linkedin.yml b/detection-rules/impersonation_linkedin.yml
index e75e5063796..8c0e3ab07d7 100644
--- a/detection-rules/impersonation_linkedin.yml
+++ b/detection-rules/impersonation_linkedin.yml
@@ -14,7 +14,13 @@ source: |
)
and sender.email.domain.root_domain !~ 'linkedin.com'
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "1a0cde6d-ce91-575f-a6a4-7a88b12f2ca4"
diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml
index 803d24e2b20..c36840119f0 100644
--- a/detection-rules/impersonation_microsoft.yml
+++ b/detection-rules/impersonation_microsoft.yml
@@ -1,10 +1,10 @@
name: "Brand impersonation: Microsoft"
description: |
- Impersonation of the Microsoft brand.
+ Impersonation of the Microsoft brand.
references:
- - "https://www.itproportal.com/news/cybercriminals-launch-targeted-phishing-attacks-against-microsoft-365-users/"
- - "https://cofense.com/blog/office-365-phishing-variant/"
- - "https://www.helpnetsecurity.com/2020/05/04/fake-microsoft-teams-notification/"
+ - "https://www.itproportal.com/news/cybercriminals-launch-targeted-phishing-attacks-against-microsoft-365-users/"
+ - "https://cofense.com/blog/office-365-phishing-variant/"
+ - "https://www.helpnetsecurity.com/2020/05/04/fake-microsoft-teams-notification/"
type: "rule"
severity: "high"
authors:
@@ -45,7 +45,12 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Sender analysis"
id: "6e2f04e6-b607-5e36-9015-d39c98265579"
diff --git a/detection-rules/impersonation_microsoft_fake_sign_in_alert.yml b/detection-rules/impersonation_microsoft_fake_sign_in_alert.yml
new file mode 100644
index 00000000000..6b655705cea
--- /dev/null
+++ b/detection-rules/impersonation_microsoft_fake_sign_in_alert.yml
@@ -0,0 +1,96 @@
+name: "Brand impersonation: Microsoft fake sign-in alert"
+description: |
+ Detects messages impersonating Microsoft that mimic sign-in security alerts and attempt to solicit a response.
+type: "rule"
+severity: "medium"
+source: |
+ type.inbound
+ // no links found in body
+ and length(body.links) == 0
+ // Microsoft strings
+ and (
+ strings.contains(subject.subject, "Microsoft")
+ or strings.contains(sender.display_name, "Microsoft")
+ or strings.contains(body.current_thread.text, "Microsoft")
+ or (
+
+ // or Microsoft Brand logo
+ any(attachments,
+ .file_type in ('png', 'jpeg', 'jpg', 'bmp')
+ and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
+ )
+ )
+ )
+
+ // Body contains Indicators of fake sign in notification
+ and (
+ regex.contains(body.current_thread.text,
+ '(Country.region:.{0,20}IP address:|Platform:.{0,20}Browser:)'
+ )
+ or regex.contains(body.current_thread.text, "Unusual.{0,10}activity")
+ )
+
+
+ and (
+
+ // If the sender is freemail
+ sender.email.domain.domain in $free_email_providers
+ or (
+
+ // sender is not freemail, but the return path email or reply to email is
+ sender.email.domain.domain not in $free_email_providers
+ and (
+ headers.return_path.domain.root_domain in $free_email_providers
+ or (
+ length(headers.reply_to) > 0
+ and (
+ all(headers.reply_to, .email.domain.root_domain in $free_email_providers)
+ )
+ )
+ or (
+
+ // if all replyto domain, return_path domain, sender domain mismatch
+ length(headers.reply_to) > 0
+ and all(headers.reply_to,
+ .email.domain.domain != headers.return_path.domain.domain
+ and headers.return_path.domain.domain != sender.email.domain.domain
+ )
+ )
+
+ // or the domain is less than 90 days old
+ or beta.whois(sender.email.domain).days_old <= 90
+ or (
+
+ // or Compauth verdict is not pass/softpass
+ any(headers.hops,
+ .authentication_results.compauth.verdict is not null
+ and .authentication_results.compauth.verdict not in ("pass", "softpass")
+ )
+ )
+ )
+ )
+ )
+ and sender.email.domain.root_domain not in (
+ "bing.com",
+ "microsoft.com",
+ "microsoftonline.com",
+ "microsoftsupport.com",
+ "microsoft365.com",
+ "office.com",
+ "onedrive.com",
+ "sharepointonline.com",
+ "yammer.com",
+ )
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Computer Vision"
+ - "Content analysis"
+ - "File analysis"
+ - "Header analysis"
+ - "Sender analysis"
+ - "Whois"
+id: "3f4c9e7a-4d85-5bee-bc8c-3a737924c236"
diff --git a/detection-rules/impersonation_microsoft_quarantine.yml b/detection-rules/impersonation_microsoft_quarantine.yml
index 00917fe743d..2b7b1927e12 100644
--- a/detection-rules/impersonation_microsoft_quarantine.yml
+++ b/detection-rules/impersonation_microsoft_quarantine.yml
@@ -32,8 +32,18 @@ source: |
"sharepointonline.com",
"yammer.com",
)
-tags:
- - "Brand impersonation"
- - "Suspicious content"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Free file host"
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Computer Vision"
+ - "Content analysis"
+ - "File analysis"
+ - "Header analysis"
- "Natural Language Understanding"
+ - "Optical Character Recognition"
+ - "Sender analysis"
id: "185db6b3-b35c-578d-bd9f-dab0703288fe"
diff --git a/detection-rules/impersonation_microsoft_teams.yml b/detection-rules/impersonation_microsoft_teams.yml
new file mode 100644
index 00000000000..4b56e2189cc
--- /dev/null
+++ b/detection-rules/impersonation_microsoft_teams.yml
@@ -0,0 +1,25 @@
+name: "Brand impersonation: Microsoft Teams"
+description: |
+ Impersonation of a Microsoft Teams message.
+type: "rule"
+severity: "high"
+source: |
+ type.inbound
+ and any(attachments,
+ .file_type in ("pdf", "jpg", "jpeg", "png")
+ and any(file.explode(.),
+ regex.icontains(.scan.ocr.raw, "trying to reach you.*microsoft teams")
+ )
+ )
+ and sender.email.domain.root_domain not in ("microsoft.com", "microsoftsupport.com", "office.com")
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
+ - "Optical Character Recognition"
+ - "Sender analysis"
+id: "9cd53055-8e1a-5a45-b78f-34a62f0793dd"
diff --git a/detection-rules/impersonation_netflix.yml b/detection-rules/impersonation_netflix.yml
index 574410929fc..deb0c71ce17 100644
--- a/detection-rules/impersonation_netflix.yml
+++ b/detection-rules/impersonation_netflix.yml
@@ -16,7 +16,13 @@ source: |
)
and sender.email.domain.root_domain !~ 'netflix.com'
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "9f39eea5-2edf-524d-b68b-d8d0bdb74273"
diff --git a/detection-rules/impersonation_norton_lifelock.yml b/detection-rules/impersonation_norton_lifelock.yml
index 634b31e9e2c..2cb0864b1be 100644
--- a/detection-rules/impersonation_norton_lifelock.yml
+++ b/detection-rules/impersonation_norton_lifelock.yml
@@ -44,7 +44,15 @@ source: |
)
)
-tags:
- - "Brand impersonation"
- - "Suspicious attachment"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Free email provider"
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
+ - "Header analysis"
+ - "Sender analysis"
id: "32bd9efd-67ba-54e2-81d0-89cf16e85a70"
diff --git a/detection-rules/impersonation_outlook.yml b/detection-rules/impersonation_outlook.yml
index 1e54faba910..1af429a1fbb 100644
--- a/detection-rules/impersonation_outlook.yml
+++ b/detection-rules/impersonation_outlook.yml
@@ -9,7 +9,13 @@ source: |
and regex.icontains(sender.email.domain.domain, '.*outlook.com.+')
and sender.email.domain.root_domain != 'outlook.com.au'
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "1fe5bf7b-c4e8-5f8e-a2d7-07e32bd9678f"
diff --git a/detection-rules/impersonation_paypal.yml b/detection-rules/impersonation_paypal.yml
index 68c42ee68df..d15b6c23e8a 100644
--- a/detection-rules/impersonation_paypal.yml
+++ b/detection-rules/impersonation_paypal.yml
@@ -63,7 +63,16 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Computer Vision"
+ - "Content analysis"
+ - "File analysis"
+ - "Header analysis"
+ - "Sender analysis"
id: "a6b2ceee-ea57-594d-8437-698fad55c9bf"
diff --git a/detection-rules/impersonation_recipient_domain.yml b/detection-rules/impersonation_recipient_domain.yml
index 0f3c7c09dd0..eedf925ca66 100644
--- a/detection-rules/impersonation_recipient_domain.yml
+++ b/detection-rules/impersonation_recipient_domain.yml
@@ -18,7 +18,7 @@ source: |
// recipient's domain is in the sender's display name
and strings.icontains(sender.display_name, .email.domain.root_domain))
-
+
and not (
strings.contains(sender.display_name, "on behalf of")
and sender.email.domain.root_domain == "microsoftonline.com"
@@ -35,6 +35,11 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "63e5808a-ab9a-5112-bc41-545db8c0afd2"
diff --git a/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml b/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml
index 112256164e9..087cf4725c7 100644
--- a/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml
+++ b/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml
@@ -1,11 +1,18 @@
name: "Impersonation: Recipient SLD in sender's email address local part"
type: "rule"
+severity: "low"
description: |
The sender's email address local part contains the recipients SLD,
the sender's domain is not a known org domain, and it's a first time sender.
source: |
type.inbound
- and any(recipients.to, strings.contains(sender.email.local_part, .email.domain.sld))
+ and (
+ any(recipients.to,
+ (strings.contains(sender.email.local_part, .email.domain.sld)
+ // checking to ensure no FPs, like "me" in "me.com"
+ and length(.email.domain.sld) > 3)
+ )
+ )
and sender.email.domain.root_domain not in $org_domains
and (
(
@@ -17,8 +24,11 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-severity: "low"
-tags:
- - "Organization impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "926f3b53-415c-590e-b5f7-a15c6d9e62c2"
diff --git a/detection-rules/impersonation_ripple.yml b/detection-rules/impersonation_ripple.yml
index 5ecf978e7e2..69176a1177c 100644
--- a/detection-rules/impersonation_ripple.yml
+++ b/detection-rules/impersonation_ripple.yml
@@ -21,6 +21,12 @@ source: |
)
)
tags:
- - "Brand impersonation"
- "Cryptocurrency"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Sender analysis"
id: "68b39736-70e0-5bf7-8a0a-3e2206552251"
diff --git a/detection-rules/impersonation_sharepoint_body_credential_theft.yml b/detection-rules/impersonation_sharepoint_body_credential_theft.yml
index 17c7267a323..d3252dd7cd1 100644
--- a/detection-rules/impersonation_sharepoint_body_credential_theft.yml
+++ b/detection-rules/impersonation_sharepoint_body_credential_theft.yml
@@ -11,10 +11,15 @@ source: |
and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
)
and any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).intents, .name == "cred_theft")
-tags:
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
- "Computer Vision"
+ - "Content analysis"
+ - "File analysis"
- "Natural Language Understanding"
- - "Suspicious content"
- - "Brand impersonation"
- - "Credential phishing"
+ - "Sender analysis"
id: "284b1b70-8daa-5adf-9df8-15d4c6b5ead9"
diff --git a/detection-rules/impersonation_sharepoint_image_credential_theft.yml b/detection-rules/impersonation_sharepoint_image_credential_theft.yml
index 74fc155eac4..cb947d11466 100644
--- a/detection-rules/impersonation_sharepoint_image_credential_theft.yml
+++ b/detection-rules/impersonation_sharepoint_image_credential_theft.yml
@@ -17,9 +17,17 @@ source: |
)
)
)
-tags:
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Image as content"
+ - "Social engineering"
+detection_methods:
- "Computer Vision"
+ - "File analysis"
+ - "Header analysis"
- "Natural Language Understanding"
- - "Brand impersonation"
- - "Credential phishing"
+ - "Optical Character Recognition"
+ - "Sender analysis"
id: "0ac51b9a-7a2a-5be2-9e04-f71b9bfd61ac"
diff --git a/detection-rules/impersonation_siliconvalleybank.yml b/detection-rules/impersonation_siliconvalleybank.yml
index bd1731c80dc..fef5f14f685 100644
--- a/detection-rules/impersonation_siliconvalleybank.yml
+++ b/detection-rules/impersonation_siliconvalleybank.yml
@@ -9,6 +9,13 @@ source: |
or strings.ilevenshtein(sender.display_name, 'svb') <= 1
)
and beta.whois(sender.email.domain).days_old <= 30
-tags:
-- "Brand impersonation"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Sender analysis"
+ - "Whois"
id: "a01f61d9-a01a-548c-9a48-49f8d3732d05"
diff --git a/detection-rules/impersonation_spotify.yml b/detection-rules/impersonation_spotify.yml
index 3a4d51903c5..4e982b24716 100644
--- a/detection-rules/impersonation_spotify.yml
+++ b/detection-rules/impersonation_spotify.yml
@@ -25,7 +25,12 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Sender analysis"
id: "70e80f91-179d-51dc-9bbd-75f1bc6f9bb3"
diff --git a/detection-rules/impersonation_stellar.yml b/detection-rules/impersonation_stellar.yml
index 90fffb5a1d5..898f25f88ee 100644
--- a/detection-rules/impersonation_stellar.yml
+++ b/detection-rules/impersonation_stellar.yml
@@ -21,6 +21,12 @@ source: |
)
)
tags:
- - "Brand impersonation"
- "Cryptocurrency"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Sender analysis"
id: "2af9ab94-77b2-5bf9-89f5-5206ee214d57"
diff --git a/detection-rules/impersonation_sublime_security.yml b/detection-rules/impersonation_sublime_security.yml
index 5c0169e1194..b1dd99c3ad9 100644
--- a/detection-rules/impersonation_sublime_security.yml
+++ b/detection-rules/impersonation_sublime_security.yml
@@ -28,9 +28,12 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Brand impersonation"
- - "Contact impersonation"
- - "Executive impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Sender analysis"
id: "949484ed-c774-5f53-b91f-cd02ee6104f9"
diff --git a/detection-rules/impersonation_turbotax.yml b/detection-rules/impersonation_turbotax.yml
index c8d1cc07331..f0ed686bf7f 100644
--- a/detection-rules/impersonation_turbotax.yml
+++ b/detection-rules/impersonation_turbotax.yml
@@ -14,7 +14,12 @@ source: |
)
and sender.email.domain.root_domain not in~ ('intuit.com', 'turbotax.com', 'intuit.ca')
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Sender analysis"
id: "90084031-cd65-5184-a7d6-a1e61d32b82b"
diff --git a/detection-rules/impersonation_twitter.yml b/detection-rules/impersonation_twitter.yml
index 3f09aba4177..dc64485fd8c 100644
--- a/detection-rules/impersonation_twitter.yml
+++ b/detection-rules/impersonation_twitter.yml
@@ -14,7 +14,12 @@ source: |
)
and sender.email.domain.domain not in~ ('twitter.com', 'privaterelay.appleid.com', 'stripe.com')
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Sender analysis"
id: "013c32c2-fa05-5456-9c45-284e008ff6a4"
diff --git a/detection-rules/impersonation_ukr_net.yml b/detection-rules/impersonation_ukr_net.yml
index 096d107a387..7a399e522f3 100644
--- a/detection-rules/impersonation_ukr_net.yml
+++ b/detection-rules/impersonation_ukr_net.yml
@@ -48,7 +48,12 @@ source: |
)
)
)
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Sender analysis"
+ - "Threat intelligence"
id: "3cb4015f-1e35-5bba-8d83-d5ed3dfff011"
diff --git a/detection-rules/impersonation_ups.yml b/detection-rules/impersonation_ups.yml
index dce289a4568..f1c421ae669 100644
--- a/detection-rules/impersonation_ups.yml
+++ b/detection-rules/impersonation_ups.yml
@@ -18,6 +18,13 @@ source: |
)
and any(ml.logo_detect(beta.message_screenshot()).brands, .name is not null)
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Computer Vision"
+ - "Sender analysis"
id: "73b68869-5720-5dc3-b4bc-15730de972d8"
diff --git a/detection-rules/impersonation_vanta.yml b/detection-rules/impersonation_vanta.yml
index 9a407aae9d0..241749c7896 100644
--- a/detection-rules/impersonation_vanta.yml
+++ b/detection-rules/impersonation_vanta.yml
@@ -19,7 +19,12 @@ source: |
)
and sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Sender analysis"
id: "883d4382-11a6-5924-9e3e-2cb5a11c3f56"
diff --git a/detection-rules/impersonation_venmo.yml b/detection-rules/impersonation_venmo.yml
index 01230c1196a..d7f223835cb 100644
--- a/detection-rules/impersonation_venmo.yml
+++ b/detection-rules/impersonation_venmo.yml
@@ -14,7 +14,12 @@ source: |
)
and sender.email.domain.root_domain not in~ ('venmo.com', 'synchronybank.com')
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Sender analysis"
id: "0ab15d4f-865f-518c-b54d-81043399e6f2"
diff --git a/detection-rules/impersonation_vip_urgent_request.yml b/detection-rules/impersonation_vip_urgent_request.yml
index 399e7d7de36..ca351239169 100644
--- a/detection-rules/impersonation_vip_urgent_request.yml
+++ b/detection-rules/impersonation_vip_urgent_request.yml
@@ -1,8 +1,8 @@
name: "VIP impersonation with urgent request (first-time sender)"
description: |
- Sender is using a display name that matches the display name of someone in your $org_vips list.
+ Sender is using a display name that matches the display name of someone in your $org_vips list.
- Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders.
+ Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders.
type: "rule"
severity: "high"
source: |
@@ -31,10 +31,14 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "VIP impersonation"
- - "Executive impersonation"
- - "Suspicious sender"
- - "Machine Learning"
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Impersonation: VIP"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Content analysis"
- "Natural Language Understanding"
+ - "Sender analysis"
id: "0dd1fa60-6e89-5f70-81a1-6b64eef0e428"
diff --git a/detection-rules/impersonation_wells_fargo.yml b/detection-rules/impersonation_wells_fargo.yml
index fa263090b22..df4a0d019c4 100644
--- a/detection-rules/impersonation_wells_fargo.yml
+++ b/detection-rules/impersonation_wells_fargo.yml
@@ -18,7 +18,13 @@ source: |
)
and sender.email.domain.root_domain not in~ ('wellsfargo.com', 'wellsfargoadvisors.com', 'transunion.com', 'wellsfargoemail.com', 'wellsfargorewards.com', 'comcast-spectacor.com', 'investordelivery.com', 'comcastspectacor.com')
and sender.email.email not in $recipient_emails
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Sender analysis"
id: "02d7301f-cc29-5031-9a1e-f013400805ba"
diff --git a/detection-rules/impersonation_wise_suspicious_attachment.yml b/detection-rules/impersonation_wise_suspicious_attachment.yml
new file mode 100644
index 00000000000..7ee9bb9b194
--- /dev/null
+++ b/detection-rules/impersonation_wise_suspicious_attachment.yml
@@ -0,0 +1,29 @@
+name: "Brand impersonation: Wise with suspicious attachment"
+description: |
+ Impersonating Wise Financial, as confirmed by NLU, and contains a suspicious attachment type.
+type: "rule"
+severity: "high"
+source: |
+ type.inbound
+ and (
+ strings.ilike(sender.display_name, '*wise*')
+ or strings.ilike(sender.email.domain.domain, '*wise*')
+ )
+ and any(ml.nlu_classifier(body.current_thread.text).tags, .name in ("payment", "invoice"))
+ and any(attachments, .file_type
+ in $file_extensions_common_archives
+ or .file_type in $file_extensions_executables
+ or .file_type in $file_extensions_macros
+ or .file_type in ("lz")
+ )
+ and sender.email.domain.root_domain not in~ ('wise.com', 'wise.jobs')
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Natural Language Understanding"
+ - "Sender analysis"
+id: "01480f95-dc1e-5b9a-a360-96bfee663c39"
diff --git a/detection-rules/impersonation_zoom_strict.yml b/detection-rules/impersonation_zoom_strict.yml
index d1ed6c9eb42..7f16a2066ac 100644
--- a/detection-rules/impersonation_zoom_strict.yml
+++ b/detection-rules/impersonation_zoom_strict.yml
@@ -28,7 +28,11 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Sender analysis"
id: "00f3d94f-7ed2-5dde-a48d-fb5fcbc20cd2"
diff --git a/detection-rules/inline_image_as_message.yml b/detection-rules/inline_image_as_message.yml
index fbefd1f6e79..545207dd3ff 100644
--- a/detection-rules/inline_image_as_message.yml
+++ b/detection-rules/inline_image_as_message.yml
@@ -24,7 +24,13 @@ source: |
)
and strings.ilike(body.html.raw, "*img*cid*")
and sender.email.email not in $recipient_emails
-tags:
- - "Malware"
- - "Credential phishing"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+ - "Image as content"
+detection_methods:
+ - "Content analysis"
+ - "HTML analysis"
+ - "URL analysis"
id: "823d7107-2605-5671-9acb-ba172d071671"
diff --git a/detection-rules/link_coinbase_low_rep_or_shortened.yml b/detection-rules/link_coinbase_low_rep_or_shortened.yml
index 256d80b16ce..25ca7d8847f 100644
--- a/detection-rules/link_coinbase_low_rep_or_shortened.yml
+++ b/detection-rules/link_coinbase_low_rep_or_shortened.yml
@@ -6,13 +6,13 @@ severity: "medium"
source: |
type.inbound
and sender.email.domain.root_domain != "coinbase.com"
-
+
// more than 0 less than 5 links
and 0 < length(body.links) < 5
-
+
// none of the links are to coinbase.com
and all(body.links, .href_url.domain.root_domain != "coinbase.com")
-
+
// low rep or url shortened links found
and any(body.links,
.href_url.domain.domain in $url_shorteners
@@ -45,8 +45,16 @@ source: |
or any(ml.logo_detect(beta.message_screenshot()).brands,
.name == "Coinbase")
)
-tags:
- - "Brand impersonation"
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+ - "Free subdomain host"
+ - "Image as content"
+ - "Impersonation: Brand"
+detection_methods:
- "Computer Vision"
+ - "Content analysis"
+ - "File analysis"
+ - "URL analysis"
id: "b61e2f8e-ab8e-5212-ab20-c294babfc6d9"
diff --git a/detection-rules/link_contains_punycode_characters.yml b/detection-rules/link_contains_punycode_characters.yml
index 3c2000757cc..b6602634cf6 100644
--- a/detection-rules/link_contains_punycode_characters.yml
+++ b/detection-rules/link_contains_punycode_characters.yml
@@ -25,6 +25,13 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious content"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+ - "Lookalike domain"
+ - "Punycode"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "74b3698c-d75e-52db-9596-48af93817822"
diff --git a/detection-rules/link_credential_phishing.yml b/detection-rules/link_credential_phishing.yml
index 1bf25aeaf72..4da5dafcea0 100644
--- a/detection-rules/link_credential_phishing.yml
+++ b/detection-rules/link_credential_phishing.yml
@@ -20,8 +20,13 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Credential phishing"
- - "Suspicious link"
- - "Machine Learning"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Social engineering"
+detection_methods:
+ - "Computer Vision"
+ - "Sender analysis"
+ - "URL analysis"
+ - "URL screenshot"
id: "a278012b-6c2b-5bca-b32c-f3663459bb1d"
diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml
index 1e857150b43..f2ab0717bac 100644
--- a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml
+++ b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml
@@ -313,8 +313,15 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Credential phishing"
- - "Machine Learning"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Free email provider"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
- "Natural Language Understanding"
+ - "Sender analysis"
+ - "URL analysis"
id: "c2bc8ca2-d207-5c7d-96e4-a0d3d33b2af5"
diff --git a/detection-rules/link_credential_phishing_language_ipfs.yml b/detection-rules/link_credential_phishing_language_ipfs.yml
index b1a39819299..b94fc53e673 100644
--- a/detection-rules/link_credential_phishing_language_ipfs.yml
+++ b/detection-rules/link_credential_phishing_language_ipfs.yml
@@ -25,8 +25,14 @@ source: |
)
)
)
-tags:
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Free file host"
+ - "Free subdomain host"
+ - "IPFS"
+detection_methods:
+ - "Content analysis"
- "Natural Language Understanding"
- - "Credential phishing"
- - "Suspicious link"
+ - "URL analysis"
id: "996c4d83-0a13-53e4-928c-6c08caeedab7"
diff --git a/detection-rules/link_credential_phishing_secure_message.yml b/detection-rules/link_credential_phishing_secure_message.yml
new file mode 100644
index 00000000000..51ae6b43e60
--- /dev/null
+++ b/detection-rules/link_credential_phishing_secure_message.yml
@@ -0,0 +1,42 @@
+name: "Credential phishing: 'Secure message' and engaging language"
+description: |
+ Body contains language resembling credential theft, and a "secure message" from a first-time sender.
+type: "rule"
+severity: "medium"
+source: |
+ type.inbound
+
+ and any(ml.nlu_classifier(body.current_thread.text).intents,
+ .name == "cred_theft" and .confidence == "high"
+ )
+
+ // ----- other suspicious signals here -----
+ and strings.icontains(body.html.display_text, "secure message")
+
+ // todo: automated display name / human local part
+ // todo: suspicious link (unfurl click trackers)
+
+ // ----------
+
+ // has at least 1 link
+ and length(body.links) > 0
+
+ // first-time sender
+ and (
+ (
+ sender.email.domain.root_domain in $free_email_providers
+ and sender.email.email not in $sender_emails
+ )
+ or (
+ sender.email.domain.root_domain not in $free_email_providers
+ and sender.email.domain.domain not in $sender_domains
+ )
+ )
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Social engineering"
+detection_methods:
+ - "Natural Language Understanding"
+ - "Sender analysis"
+id: "bd95a7b1-dc96-53c1-bb7c-3a0f98b04744"
diff --git a/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml b/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml
index 1d5f0d36eaf..b3fbdb5bcb6 100644
--- a/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml
+++ b/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml
@@ -61,8 +61,14 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Credential phishing"
- - "Machine Learning"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Social engineering"
+detection_methods:
+ - "File analysis"
- "Natural Language Understanding"
+ - "Optical Character Recognition"
+ - "Sender analysis"
+ - "URL analysis"
id: "447386dc-e748-5aca-8da4-a3d15345550c"
diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml
index 6298286013f..7b446d465d4 100644
--- a/detection-rules/link_credential_phishing_voicemail_language.yml
+++ b/detection-rules/link_credential_phishing_voicemail_language.yml
@@ -53,9 +53,13 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious link"
- - "Suspicious content"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
- "Natural Language Understanding"
- - "Credential phishing"
+ - "Sender analysis"
+ - "URL analysis"
id: "74ba7787-e543-5ce8-b6eb-e1ecdb8f1d67"
diff --git a/detection-rules/link_deactivated_bitly.yml b/detection-rules/link_deactivated_bitly.yml
index ad36e9320f4..c7d0fb33248 100644
--- a/detection-rules/link_deactivated_bitly.yml
+++ b/detection-rules/link_deactivated_bitly.yml
@@ -15,6 +15,10 @@ source: |
beta.linkanalysis(.).final_dom.display_text, "*link*blocked*"
)
)
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "URL analysis"
id: "1528eb6c-22fa-5879-b48c-53ee466fde23"
diff --git a/detection-rules/link_download_disk_image_in_encrypted_zip.yml b/detection-rules/link_download_disk_image_in_encrypted_zip.yml
index 1045312f38f..03c55ce08db 100644
--- a/detection-rules/link_download_disk_image_in_encrypted_zip.yml
+++ b/detection-rules/link_download_disk_image_in_encrypted_zip.yml
@@ -1,41 +1,50 @@
-name: "Link to auto-downloaded disk image in encrypted zip"
-description: |
- A link in the body of the email downloads an encrypted zip that contains a disk image of the format IMG, ISO or VHD. This is a combination of file types used to deliver Qakbot.
-type: "rule"
-references:
- - "https://twitter.com/pr0xylife/status/1592502966409654272"
- - "https://delivr.to/payloads?id=ca00292e-d5a2-43f9-b638-6c0b01b73353"
- - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"
- - "https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/"
-severity: "medium"
-authors:
- - twitter: "ajpc500"
-source: |
- type.inbound
- and any(body.links,
- any(beta.linkanalysis(.).files_downloaded,
- any(
- file.explode(.), (
- any(.flavors.yara, . == "encrypted_zip") and
- any(.scan.zip.all_paths, any([".img", ".iso", ".vhd"], strings.ends_with(.., .)))
- )
- )
- )
- )
- // first-time sender
- and (
- (
- sender.email.domain.root_domain in $free_email_providers
- and sender.email.email not in $sender_emails
- )
- or (
- sender.email.domain.root_domain not in $free_email_providers
- and sender.email.domain.domain not in $sender_domains
- )
- )
-tags:
- - "QakBot"
- - "Suspicious link"
- - "Malware"
- - "HTML smuggling"
-id: "b50f0cb1-67b8-570c-9b34-0de08ff52508"
+name: "Link to auto-downloaded disk image in encrypted zip"
+description: |
+ A link in the body of the email downloads an encrypted zip that contains a disk image of the format IMG, ISO or VHD. This is a combination of file types used to deliver Qakbot.
+type: "rule"
+references:
+ - "https://twitter.com/pr0xylife/status/1592502966409654272"
+ - "https://delivr.to/payloads?id=ca00292e-d5a2-43f9-b638-6c0b01b73353"
+ - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"
+ - "https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/"
+severity: "medium"
+authors:
+ - twitter: "ajpc500"
+source: |
+ type.inbound
+ and any(body.links,
+ any(beta.linkanalysis(.).files_downloaded,
+ any(
+ file.explode(.), (
+ any(.flavors.yara, . == "encrypted_zip") and
+ any(.scan.zip.all_paths, any([".img", ".iso", ".vhd"], strings.ends_with(.., .)))
+ )
+ )
+ )
+ )
+ // first-time sender
+ and (
+ (
+ sender.email.domain.root_domain in $free_email_providers
+ and sender.email.email not in $sender_emails
+ )
+ or (
+ sender.email.domain.root_domain not in $free_email_providers
+ and sender.email.domain.domain not in $sender_domains
+ )
+ )
+tags:
+ - "Malfam: QakBot"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Encryption"
+ - "Evasion"
+ - "Social engineering"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "Sender analysis"
+ - "URL analysis"
+ - "YARA"
+id: "b50f0cb1-67b8-570c-9b34-0de08ff52508"
diff --git a/detection-rules/link_download_suspicious_file.yml b/detection-rules/link_download_suspicious_file.yml
index d0324c36adb..51f23a46dad 100644
--- a/detection-rules/link_download_suspicious_file.yml
+++ b/detection-rules/link_download_suspicious_file.yml
@@ -45,9 +45,17 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-
-tags:
- - "HTML smuggling"
- - "Suspicious link"
- - "Malware"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Encryption"
+ - "Evasion"
+ - "LNK"
+ - "Social engineering"
+detection_methods:
+ - "Archive analysis"
+ - "File analysis"
+ - "Sender analysis"
+ - "URL analysis"
+ - "YARA"
id: "67ae2152-ac52-52d4-bec2-6bbc4a488df9"
diff --git a/detection-rules/link_dynamics_form.yml b/detection-rules/link_dynamics_form.yml
index 249601c8526..57279577c92 100644
--- a/detection-rules/link_dynamics_form.yml
+++ b/detection-rules/link_dynamics_form.yml
@@ -37,7 +37,15 @@ source: |
)
)
)
-tags:
- - "Suspicious links"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
+ - "Optical Character Recognition"
- "Natural Language Understanding"
+ - "URL analysis"
+ - "URL screenshot"
id: "f72b9085-8c48-5c8c-9b0d-0ce6ef3494dc"
diff --git a/detection-rules/link_fake_fax_low_reputation.yml b/detection-rules/link_fake_fax_low_reputation.yml
new file mode 100644
index 00000000000..0bf72f79c40
--- /dev/null
+++ b/detection-rules/link_fake_fax_low_reputation.yml
@@ -0,0 +1,82 @@
+name: "Brand impersonation: Fake fax"
+description: |
+ Detects the presence of known brand logos, mentions of "fax" in the subject or sender's display name, and a low reputation link from a first-time sender.
+references:
+ - "https://www.hoxhunt.com/blog/fax-phishing"
+type: "rule"
+severity: "medium"
+source: |
+ type.inbound
+ and 0 < length(body.links) < 5
+ and sender.email.domain.root_domain not in $org_domains
+ and any(body.links,
+ (
+ .href_url.domain.domain not in $tranco_1m or
+ .href_url.domain.domain in $free_file_hosts or
+ .href_url.domain.root_domain in $free_subdomain_hosts or
+ .href_url.domain.domain in $url_shorteners or
+
+ // mass mailer link, masks the actual URL
+ .href_url.domain.root_domain in (
+ "hubspotlinks.com",
+ "mandrillapp.com",
+ "sendgrid.net",
+ )
+ )
+ )
+
+ // any brand logo detected
+ and (
+ any(attachments,
+ .file_type in ('png', 'jpeg', 'jpg', 'bmp')
+ and any(ml.logo_detect(.).brands, .name is not null)
+ )
+ or any(ml.logo_detect(beta.message_screenshot()).brands,
+ .name is not null)
+ )
+
+ // Subject or sender contains fax
+ and (
+ strings.icontains(subject.subject, "fax") or
+ strings.icontains(sender.display_name, "fax")
+ )
+
+ // suspicious content
+ and (
+ strings.ilike(body.plain.raw, "*fax*")
+ or (
+ any(attachments,
+ .file_type in ('png', 'jpeg', 'jpg', 'bmp')
+ and any(file.explode(.),
+ strings.ilike(.scan.ocr.raw, "*fax*")
+ )
+ )
+ )
+ )
+
+ // first time sender
+ and (
+ (
+ sender.email.domain.root_domain in $free_email_providers
+ and sender.email.email not in $sender_emails
+ )
+ or (
+ sender.email.domain.root_domain not in $free_email_providers
+ and sender.email.domain.domain not in $sender_domains
+ )
+ )
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Image as content"
+ - "Free file host"
+ - "Free subdomain host"
+ - "Social engineering"
+detection_methods:
+ - "Computer Vision"
+ - "Content analysis"
+ - "Optical Character Recognition"
+ - "Sender analysis"
+ - "URL analysis"
+id: "2a96b90a-64bf-52ad-b4e4-6f1e8c1dcba6"
diff --git a/detection-rules/link_fake_thread_nlu_financial_request.yml b/detection-rules/link_fake_thread_nlu_financial_request.yml
index d36a6240d66..4f52fb5e712 100644
--- a/detection-rules/link_fake_thread_nlu_financial_request.yml
+++ b/detection-rules/link_fake_thread_nlu_financial_request.yml
@@ -4,7 +4,7 @@ type: "rule"
severity: "medium"
source: |
type.inbound
-
+
// suspicious link
and any(body.links,
.href_url.domain.root_domain not in $tranco_1m and
@@ -23,7 +23,10 @@ source: |
length(headers.references) == 0
and headers.in_reply_to is null
)
- or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+ or (
+ not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+ and not any(headers.hops, strings.ilike(.signature.headers, "*:reply-to"))
+ )
)
// sender's domain is not in body, and body has > 0 links
@@ -62,9 +65,14 @@ source: |
// sender domain matches no body domains
all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain),
)
-tags:
- - "Suspicious link"
- - "Fake Message Thread"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
- "Natural Language Understanding"
- - "Machine Learning"
+ - "Sender analysis"
+ - "URL analysis"
id: "8fd0e211-285d-5cbd-9c11-868c0501b526"
diff --git a/detection-rules/link_firebase_new_domain_redirect.yml b/detection-rules/link_firebase_new_domain_redirect.yml
index f41911bd9c1..56770e6e0dd 100644
--- a/detection-rules/link_firebase_new_domain_redirect.yml
+++ b/detection-rules/link_firebase_new_domain_redirect.yml
@@ -13,6 +13,12 @@ source: |
strings.icontains(.href_url.domain.domain, "app") and
any(beta.linkanalysis(.).redirect_history, beta.whois(.domain).days_old < 7)
)
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "URL analysis"
+ - "Whois"
id: "5a204a37-3120-53c1-a55a-5f4f09c61dc4"
diff --git a/detection-rules/link_google_amp_suspicious_indicators.yml b/detection-rules/link_google_amp_suspicious_indicators.yml
new file mode 100644
index 00000000000..69b2c6eb4ea
--- /dev/null
+++ b/detection-rules/link_google_amp_suspicious_indicators.yml
@@ -0,0 +1,67 @@
+name: "Google Accelerated Mobile Pages (AMP) abuse"
+description: |
+ This rule is designed to identify phishing attempts abusing Google AMP's URL structure for malicious activities.
+ The rule aims to detect specific URL patterns, further analyzing both message content, as well as the destination of the link to distinguish
+ between legitimate Google AMP pages and potential malicious usage.
+references:
+ - "https://cofense.com/blog/google-amp-the-newest-of-evasive-phishing-tactic/"
+type: "rule"
+severity: "medium"
+source: |
+ type.inbound
+
+ // Any body links with a domain SLD of 'google' and a path starting with /amp/s
+ and any(body.links,
+ .href_url.domain.sld == "google"
+ and strings.starts_with(.href_url.path, "/amp/s/")
+
+ // Brand Logo detected that is not google
+ and (
+ any(ml.logo_detect(beta.message_screenshot()).brands,
+ .name is not null and .name != "Google"
+ )
+
+ // or the page has a login or captcha
+ or (
+ beta.linkanalysis(.).credphish.contains_login
+ or beta.linkanalysis(.).credphish.contains_captcha
+ )
+
+ // or linkanalysis concludes phishing of medium to high confidence
+ or any([beta.linkanalysis(.)],
+ .credphish.disposition == "phishing"
+ and .credphish.brand.confidence in ("medium", "high")
+ )
+
+ // or NLU detected cred theft on the landing page
+ or any(file.explode(beta.linkanalysis(.).screenshot),
+ any(ml.nlu_classifier(.scan.ocr.raw).intents,
+ .name == "cred_theft" and .confidence in ("medium", "high")
+ )
+
+ // captcha partially loaded
+ or strings.icontains(.scan.ocr.raw, "Checking if the site connection is secure")
+ )
+
+ // or the link display text contains "password"
+ or strings.icontains(.display_text, "password")
+
+ // or the link contains the recipients email in the url path
+ or any(recipients.to, strings.icontains(..href_url.path, .email.email))
+ )
+ )
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Open redirect"
+detection_methods:
+ - "Computer Vision"
+ - "Content analysis"
+ - "Natural Language Understanding"
+ - "Optical Character Recognition"
+ - "Sender analysis"
+ - "URL analysis"
+ - "URL screenshot"
+id: "46907029-ef83-50a8-9198-75af39dd5f3b"
diff --git a/detection-rules/link_google_apps_script_macro.yml b/detection-rules/link_google_apps_script_macro.yml
index 027c84db8ee..455c236c8c7 100644
--- a/detection-rules/link_google_apps_script_macro.yml
+++ b/detection-rules/link_google_apps_script_macro.yml
@@ -22,7 +22,13 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "Open redirect"
+ - "Social engineering"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "d10146df-547f-5a89-8690-477283e3b1f7"
diff --git a/detection-rules/link_google_comment_script_macro.yml b/detection-rules/link_google_comment_script_macro.yml
index 04205c4c9d9..f3b769a83de 100644
--- a/detection-rules/link_google_comment_script_macro.yml
+++ b/detection-rules/link_google_comment_script_macro.yml
@@ -22,7 +22,13 @@ source: |
// Or the Sender Display Name is not in your Org Display Names
or not any($org_display_names, strings.istarts_with(sender.display_name, strings.concat(., " (Google ")))
)
-tags:
- - "Suspicious link"
- - "Open redirect"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Sender analysis"
+ - "URL analysis"
id: "66fecd30-4628-5e53-b3cb-5355a6741487"
diff --git a/detection-rules/link_google_fake_sign_in_image_lure.yml b/detection-rules/link_google_fake_sign_in_image_lure.yml
new file mode 100644
index 00000000000..0f7f8a25679
--- /dev/null
+++ b/detection-rules/link_google_fake_sign_in_image_lure.yml
@@ -0,0 +1,50 @@
+name: "Brand impersonation: Google fake sign-in warning"
+description: |
+ Detects messages with image attachments containing fake Google sign-in warnings with no links leading to Google sites.
+type: "rule"
+severity: "high"
+source: |
+ type.inbound
+ and length(body.links) > 0
+
+ // Google Logo in Attachment
+ and any(attachments,
+ .file_type in ('png', 'jpeg', 'jpg', 'bmp')
+ and any(ml.logo_detect(.).brands, .name in ("Google"))
+ )
+ and any(attachments,
+ .file_type in~ ('bmp', 'png', 'jpg', 'jpeg')
+ and (
+ any(file.explode(.),
+ // Fake activity warning
+ length(filter(.scan.strings.strings, strings.ilike(.,
+ "*new sign-in*",
+ "*google account*",
+ "*secure your account*",
+ "*check activity*"
+ ))) >= 3
+ )
+ )
+ )
+
+ // legitimate sign-in warnings contains links to google, gmail or googleapis.com
+ and (
+ not all(body.links,
+ .href_url.domain.root_domain in ("google.com", "gmail.com", "googleapis.com")
+ or .href_url.domain.root_domain is null
+ )
+ )
+ and sender.email.domain.root_domain not in $org_domains
+ and sender.email.domain.root_domain != "google.com"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Computer Vision"
+ - "File analysis"
+ - "Optical Character Recognition"
+ - "Sender analysis"
+ - "URL analysis"
+id: "2d998eee-476b-5f9c-a244-3c11f79138dd"
diff --git a/detection-rules/link_google_translate.yml b/detection-rules/link_google_translate.yml
index 953f843b108..de404ccf609 100644
--- a/detection-rules/link_google_translate.yml
+++ b/detection-rules/link_google_translate.yml
@@ -1,5 +1,4 @@
name: "Link: Google Translate (unsolicited)"
-
description: |
Attackers have used the Google Translate service to deliver links to malicious sites repackaged with a translate.goog top-level domain.
This rule identifies instances of Google Translate links from unsolicited senders.
@@ -25,6 +24,12 @@ source: |
)
)
tags:
- - "Suspicious link"
- "Attack surface reduction"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Open redirect"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "6949e115-b806-56ea-8976-420bb9d47e5c"
diff --git a/detection-rules/link_html_smuggling_with_adobe_branding.yml b/detection-rules/link_html_smuggling_with_adobe_branding.yml
index b54b99f3b44..d400afe4923 100644
--- a/detection-rules/link_html_smuggling_with_adobe_branding.yml
+++ b/detection-rules/link_html_smuggling_with_adobe_branding.yml
@@ -36,9 +36,16 @@ source: |
)
)
tags:
- - "HTML smuggling"
- - "Suspicious link"
- - "Brand impersonation"
- - "Malware"
- - "QakBot"
+ - "Malfam: QakBot"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "File analysis"
+ - "Optical Character Recognition"
+ - "Sender analysis"
+ - "URL analysis"
+ - "URL screenshot"
id: "e826c2cf-740c-5588-b0a1-8f45bb5baf47"
diff --git a/detection-rules/link_html_smuggling_with_google_drive_branding.yml b/detection-rules/link_html_smuggling_with_google_drive_branding.yml
index 61aeab77c77..9998b9f2052 100644
--- a/detection-rules/link_html_smuggling_with_google_drive_branding.yml
+++ b/detection-rules/link_html_smuggling_with_google_drive_branding.yml
@@ -21,7 +21,7 @@ source: |
// Hi from Qakbot
any(file.explode(beta.linkanalysis(.).screenshot),
- all([
+ any([
"the file is not displayed correctly",
"use local downloaded file"
], strings.icontains(..scan.ocr.raw, .))
@@ -39,9 +39,16 @@ source: |
)
)
tags:
- - "HTML smuggling"
- - "Suspicious link"
- - "Brand impersonation"
- - "Malware"
- - "QakBot"
+ - "Malfam: QakBot"
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
+ - "Optical Character Recognition"
+ - "URL analysis"
+ - "URL screenshot"
id: "4b5343be-9b10-58a3-8d14-a1bae1eebc62"
diff --git a/detection-rules/link_invoice_fake_customer_service_freemail_sender.yml b/detection-rules/link_invoice_fake_customer_service_freemail_sender.yml
index 036bae54467..7e41ca94b07 100644
--- a/detection-rules/link_invoice_fake_customer_service_freemail_sender.yml
+++ b/detection-rules/link_invoice_fake_customer_service_freemail_sender.yml
@@ -15,8 +15,15 @@ source: |
)
// First time sender exclusions are in place to avoid legitimate messages from known freemail senders.
and sender.email.email not in $sender_emails
-tags:
- - "Invoice fraud"
- - "Receipt fraud"
- - "Customer service fraud"
+attack_types:
+ - "BEC/Fraud"
+ - "Callback Phishing"
+tactics_and_techniques:
+ - "Free email provider"
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Sender analysis"
+ - "URL analysis"
id: "3825232d-be75-5ad1-ba7f-a3ec97d23960"
diff --git a/detection-rules/link_ipfs_phishing.yml b/detection-rules/link_ipfs_phishing.yml
index d7d80e9a50c..668f3492769 100644
--- a/detection-rules/link_ipfs_phishing.yml
+++ b/detection-rules/link_ipfs_phishing.yml
@@ -1,6 +1,5 @@
name: "Link: IPFS"
-description: "Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links
- that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites."
+description: "Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites."
references:
- "https://securelist.com/ipfs-phishing/109158/"
- "https://docs.ipfs.tech/how-to/address-ipfs-on-web/"
@@ -12,7 +11,7 @@ source: |
and any(body.links,
// Any body link domains contain "ipfs"
strings.icontains(.href_url.domain.domain, "ipfs")
-
+
// Or the path contains ipfs anchored to a leading or trailing '-', '/', '.'
or (
regex.icontains(.href_url.query_params, '[\.-/]ipfs|ipfs[\.-/]')
@@ -45,6 +44,14 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Free file host"
+ - "Free subdomain host"
+ - "IPFS"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "19fa6442-83b9-5479-ba04-61906b595929"
diff --git a/detection-rules/link_login_or_captcha.yml b/detection-rules/link_login_or_captcha.yml
index 897f8b83d8a..28342feeed5 100644
--- a/detection-rules/link_login_or_captcha.yml
+++ b/detection-rules/link_login_or_captcha.yml
@@ -24,8 +24,9 @@ source: |
// if it's a known brand impersonation, we'll detect it in other rules
and .href_url.domain.root_domain not in ("zendesk.com")
and beta.linkanalysis(.).effective_url.domain.root_domain not in ("zendesk.com")
+ and beta.linkanalysis(.).effective_url.domain.domain not in ("login.squarespace.com")
)
-
+
// exclude FP prone senders
and sender.email.domain.root_domain not in ("sharepointonline.com")
@@ -40,8 +41,14 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Credential phishing"
- - "Suspicious link"
- - "Machine Learning"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Free subdomain host"
+ - "Social engineering"
+detection_methods:
+ - "Computer Vision"
+ - "File analysis"
+ - "Sender analysis"
+ - "URL screenshot"
id: "93288f82-fbd2-5e88-b207-7f06386495a6"
diff --git a/detection-rules/link_microsoft_device_code_phish.yml b/detection-rules/link_microsoft_device_code_phish.yml
index ec098762b03..50111ea8102 100644
--- a/detection-rules/link_microsoft_device_code_phish.yml
+++ b/detection-rules/link_microsoft_device_code_phish.yml
@@ -41,6 +41,13 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Sender analysis"
+ - "URL analysis"
id: "61f3ae67-c05c-506f-bbfe-764108a40974"
diff --git a/detection-rules/link_microsoft_go2_open_redirect_phish.yml b/detection-rules/link_microsoft_go2_open_redirect_phish.yml
index cc550409a62..82d692fcfb2 100644
--- a/detection-rules/link_microsoft_go2_open_redirect_phish.yml
+++ b/detection-rules/link_microsoft_go2_open_redirect_phish.yml
@@ -22,8 +22,13 @@ source: |
and headers.mailer is null
and regex.icontains(body.html.inner_text,
'(i͏c͏r͏os͏of͏|icrosof)|(office|o)\s?365')
-tags:
- - "Suspicious link"
- - "Credential phishing"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
- "Open redirect"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
+ - "URL analysis"
id: "51667096-1628-5113-809b-97155a03eadf"
diff --git a/detection-rules/link_microsoft_impersonation_using_hosted_png.yml b/detection-rules/link_microsoft_impersonation_using_hosted_png.yml
index 24677dcc45e..56a8df0da3f 100644
--- a/detection-rules/link_microsoft_impersonation_using_hosted_png.yml
+++ b/detection-rules/link_microsoft_impersonation_using_hosted_png.yml
@@ -27,7 +27,7 @@ source: |
// org domain in the subject of the message
and any($org_domains, strings.icontains(subject.subject, .))
-
+
// first-time sender
and (
(
@@ -39,8 +39,14 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Brand impersonation"
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
- "Natural Language Understanding"
+ - "Sender analysis"
+ - "URL analysis"
id: "07c696d4-c58e-5252-96e2-70211f9de338"
diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml
index c1116fa52dc..8c1f579ea3e 100644
--- a/detection-rules/link_microsoft_low_reputation.yml
+++ b/detection-rules/link_microsoft_low_reputation.yml
@@ -21,7 +21,7 @@ source: |
)
// exclude sources of potential FPs
- and .href_url.domain.root_domain not in ("svc.ms", "sharepoint.com", "1drv.ms")
+ and .href_url.domain.root_domain not in ("svc.ms", "sharepoint.com", "1drv.ms", "microsoft.com")
)
// not a reply
@@ -91,9 +91,20 @@ source: |
"sharepointonline.com",
"yammer.com"
)
-
-tags:
- - "Suspicious link"
- - "Brand impersonation"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Free file host"
+ - "Image as content"
+ - "Impersonation: Brand"
+ - "Social engineering"
+detection_methods:
- "Computer Vision"
+ - "Content analysis"
+ - "File analysis"
+ - "Header analysis"
+ - "Natural Language Understanding"
+ - "Optical Character Recognition"
+ - "Sender analysis"
+ - "URL analysis"
id: "b59201b6-f253-55a6-9c0a-e1500a32a751"
diff --git a/detection-rules/link_new_domain_in_link_first_time_sender.yml b/detection-rules/link_new_domain_in_link_first_time_sender.yml
index e88a1d838de..ea1ed146a45 100644
--- a/detection-rules/link_new_domain_in_link_first_time_sender.yml
+++ b/detection-rules/link_new_domain_in_link_first_time_sender.yml
@@ -18,7 +18,12 @@ source: |
)
)
tags:
- - "Suspicious link"
- - "New domain"
- "Attack surface reduction"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
+ - "Whois"
id: "4805b0e6-6d35-512b-8053-87dd0edacc8a"
diff --git a/detection-rules/link_notion_file_share.yml b/detection-rules/link_notion_file_share.yml
index fa67e9cde57..c77e215dfca 100644
--- a/detection-rules/link_notion_file_share.yml
+++ b/detection-rules/link_notion_file_share.yml
@@ -24,7 +24,14 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "Free file host"
+detection_methods:
+ - "Content analysis"
+ - "Sender analysis"
+ - "URL analysis"
id: "f7307929-bbfd-58b6-81e4-afff7610cff2"
diff --git a/detection-rules/link_office365_suspicious_app_authorization.yml b/detection-rules/link_office365_suspicious_app_authorization.yml
index 4df7bdfe762..8a6eceb0163 100644
--- a/detection-rules/link_office365_suspicious_app_authorization.yml
+++ b/detection-rules/link_office365_suspicious_app_authorization.yml
@@ -11,6 +11,8 @@ source: |
type.inbound
and any(body.links, .href_url.domain.domain == 'login.microsoftonline.com'
and strings.ilike(.href_url.query_params, '*offline_access*', '*.readwrite*', '*.read*'))
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+detection_methods:
+ - "URL analysis"
id: "13a8c430-3e62-5c8f-86b5-3722599bead4"
diff --git a/detection-rules/link_outlook_left_to_right_exploit.yml b/detection-rules/link_outlook_left_to_right_exploit.yml
index c30f9dcc678..5de1c572dc0 100644
--- a/detection-rules/link_outlook_left_to_right_exploit.yml
+++ b/detection-rules/link_outlook_left_to_right_exploit.yml
@@ -9,7 +9,13 @@ source: |
type.inbound
// this regex contains a Unicode U+200E character (may not be visible in many clients)
and regex.contains(body.html.raw, 'base.{0,100}/>')
-tags:
- - "Suspicious link"
- - "Office exploit"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+ - "Exploit"
+detection_methods:
+ - "Content analysis"
+ - "HTML analysis"
+ - "URL analysis"
id: "160cc681-dfb3-5820-aa03-37f0289bd0e2"
diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml
index 8bb13ac67b0..286d56d4be6 100644
--- a/detection-rules/link_qr_code_suspicious_language_fts.yml
+++ b/detection-rules/link_qr_code_suspicious_language_fts.yml
@@ -7,18 +7,18 @@ type: "rule"
severity: "medium"
source: |
type.inbound
-
+
// check image attachments for QR code, will want to add message.screenshot functionality here when it's ready
and any(attachments,
.file_type in~ ('bmp', 'png', 'jpg', 'jpeg', 'gif')
and any(file.explode(.), .scan.qr.type == "url"
-
+
// recipient email address is present in the URL, a common tactic used in credential phishing attacks and the url is not in $org_domains
and any(recipients.to, strings.icontains(..scan.qr.data, .email.email))
and .scan.qr.url.domain.root_domain not in $org_domains
)
)
-
+
// NLU has identified cred_theft language with high confidence
and (
any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).intents, .name == "cred_theft" and .confidence == "high")
@@ -34,7 +34,7 @@ source: |
)
)
)
-
+
// first-time sender
and (
(
@@ -46,8 +46,17 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-tags:
- - "Suspicious Link"
- - "Natural Language Understanding"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Impersonation: Brand"
- "QR code"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Computer Vision"
+ - "Natural Language Understanding"
+ - "QR code analysis"
+ - "Sender analysis"
+ - "URL analysis"
id: "25a84d1c-9578-53e3-98a7-ca9b43abb28b"
diff --git a/detection-rules/link_sharepoint_online_multiple_recipients_from_outside_org.yml b/detection-rules/link_sharepoint_online_multiple_recipients_from_outside_org.yml
index dccbc21799c..0b4e11af5c0 100644
--- a/detection-rules/link_sharepoint_online_multiple_recipients_from_outside_org.yml
+++ b/detection-rules/link_sharepoint_online_multiple_recipients_from_outside_org.yml
@@ -11,9 +11,13 @@ source: |
and length(recipients.to) > 40 // You may want to adjust this threshold if 40 is too aggressive
and any(recipients.to, .email.domain.domain in $free_email_providers)
and sender.display_name not in $org_display_names
-tags:
- - "Suspicious link"
- - "Suspicious content"
- - "Suspicious subject"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+ - "Spam"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
+ - "Sender analysis"
id: "5579bb4b-a225-57c1-99e1-65c704bad6ad"
diff --git a/detection-rules/link_undisclosed_recipients_credphish.yml b/detection-rules/link_undisclosed_recipients_credphish.yml
index 249341cbf17..12650b125a5 100644
--- a/detection-rules/link_undisclosed_recipients_credphish.yml
+++ b/detection-rules/link_undisclosed_recipients_credphish.yml
@@ -20,7 +20,12 @@ source: |
)
)
)
-tags:
- - "Suspicious headers"
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Computer Vision"
+ - "Header analysis"
+ - "URL screenshot"
id: "06fc155e-f779-50a7-ad5f-3c3777fbf8f5"
diff --git a/detection-rules/lookalike_sender_domain.yml b/detection-rules/lookalike_sender_domain.yml
index 72f47d708c6..c36d1af53bf 100644
--- a/detection-rules/lookalike_sender_domain.yml
+++ b/detection-rules/lookalike_sender_domain.yml
@@ -24,7 +24,13 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
- - "Suspicious sender"
+attack_types:
+ - "BEC/Fraud"
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "Lookalike domain"
+ - "Social engineering"
+detection_methods:
+ - "Sender analysis"
id: "67721993-4f5d-575b-970b-3ced67a874fa"
diff --git a/detection-rules/malformed_url_prefix.yml b/detection-rules/malformed_url_prefix.yml
index cfa7f116571..5e973073a53 100644
--- a/detection-rules/malformed_url_prefix.yml
+++ b/detection-rules/malformed_url_prefix.yml
@@ -1,12 +1,17 @@
name: Malformed URL prefix
description: |
Malformed URL prefix is a technique used to evade email security scanners.
-references:
+references:
- "https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/"
type: "rule"
severity: "high"
source: |
any(body.links, regex.icontains(.href_url.url, ':/\\'))
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "URL analysis"
id: "4e659d28-53fa-51ca-888d-a7cab1e4bcad"
diff --git a/detection-rules/mass_campaign_recipient_address_new_sender.yml b/detection-rules/mass_campaign_recipient_address_new_sender.yml
index d6a88ae41cf..28cfdbd4ca9 100644
--- a/detection-rules/mass_campaign_recipient_address_new_sender.yml
+++ b/detection-rules/mass_campaign_recipient_address_new_sender.yml
@@ -48,9 +48,12 @@ source: |
)
// we could add additional logic here, such as suspicious subject, url shortener, sus link, etc.
-tags:
- - "Credential phishing"
- - "Machine Learning"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Social engineering"
+detection_methods:
+ - "Header analysis"
- "Natural Language Understanding"
- - "Suspicious subject"
+ - "Sender analysis"
id: "599dabf5-6287-5adf-8a8f-70649ccf0f92"
diff --git a/detection-rules/open_redirect_atdmt.yml b/detection-rules/open_redirect_atdmt.yml
index 53b8854fc87..759e44ed73c 100644
--- a/detection-rules/open_redirect_atdmt.yml
+++ b/detection-rules/open_redirect_atdmt.yml
@@ -10,6 +10,11 @@ severity: "medium"
source: |
type.inbound
and any(body.links, .href_url.domain.domain == 'ad.atdmt.com' and strings.ilike(.href_url.path, '*/c*'))
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Open redirect"
+detection_methods:
+ - "URL analysis"
id: "fafbd230-bb09-5306-b652-3060639b8660"
diff --git a/detection-rules/open_redirect_avast.yml b/detection-rules/open_redirect_avast.yml
index 8157f93be99..dec9e0aa290 100644
--- a/detection-rules/open_redirect_avast.yml
+++ b/detection-rules/open_redirect_avast.yml
@@ -19,7 +19,12 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
-tags:
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "Open redirect"
- - "Suspicious link"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "5f635658-19be-5112-a47b-f8c9bd271999"
diff --git a/detection-rules/open_redirect_bmwusa.yml b/detection-rules/open_redirect_bmwusa.yml
index 46a69e09457..0ee00f692e9 100644
--- a/detection-rules/open_redirect_bmwusa.yml
+++ b/detection-rules/open_redirect_bmwusa.yml
@@ -7,7 +7,12 @@ source: |
type.inbound
and sender.email.domain.root_domain not in~ ('bmw.com', 'bmwusa.com')
and any(body.links, .href_url.domain.domain == 't.msg.bmwusa.com' and .href_url.path =~ '/r/')
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "Open redirect"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "1bf4e69a-1762-5168-8dc9-c5d3d0d4a181"
diff --git a/detection-rules/open_redirect_googleweblight.yml b/detection-rules/open_redirect_googleweblight.yml
index a9f3018b254..6efa7b7a8a3 100644
--- a/detection-rules/open_redirect_googleweblight.yml
+++ b/detection-rules/open_redirect_googleweblight.yml
@@ -11,6 +11,12 @@ source: |
.href_url.domain.domain == 'googleweblight.com' and
strings.ilike(.href_url.url, '*/i?u=*')
)
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Open redirect"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "27030ba5-c9dc-5789-bd3e-621626e0a123"
diff --git a/detection-rules/open_redirect_hhs.yml b/detection-rules/open_redirect_hhs.yml
index 98fee55417c..5556fe70450 100644
--- a/detection-rules/open_redirect_hhs.yml
+++ b/detection-rules/open_redirect_hhs.yml
@@ -9,6 +9,12 @@ source: |
type.inbound
and any(body.links,
.href_url.domain.domain == 'dcis.hhs.gov' and strings.ilike(.href_url.query_params, '*service*'))
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Open redirect"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "c2d8cda9-358e-5856-93a7-8e76d1ab1df5"
diff --git a/detection-rules/open_redirect_linkedin.yml b/detection-rules/open_redirect_linkedin.yml
index b6e1fcfec96..d5e063483f3 100644
--- a/detection-rules/open_redirect_linkedin.yml
+++ b/detection-rules/open_redirect_linkedin.yml
@@ -8,11 +8,25 @@ authors:
severity: "medium"
source: |
type.inbound
- and sender.email.domain.root_domain != "linkedin.com"
- and any(body.links, .href_url.domain.root_domain == 'linkedin.com' and .href_url.path == '/slink')
- and any(body.links, strings.ilike(.href_url.query_params, 'code=*'))
-tags:
+ and (
+ (
+ sender.email.domain.root_domain != "linkedin.com"
+ and any(body.links, .href_url.domain.root_domain == 'linkedin.com' and .href_url.path == '/slink')
+ and any(body.links, strings.ilike(.href_url.query_params, 'code=*'))
+ )
+ or any(attachments, .file_type == "pdf"
+ and any(file.explode(.),
+ any(.scan.url.urls, .domain.root_domain == 'linkedin.com' and .path == '/slink')
+ and any(.scan.url.urls, strings.ilike(.query_params, 'code=*'))
+ )
+ )
+ )
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "Open redirect"
- - "Suspicious link"
-
-id: "5ad2ffae-fca7-58ff-90bd-8efbd98c0a72"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
+id: "5ad2ffae-fca7-58ff-90bd-8efbd98c0a72"
\ No newline at end of file
diff --git a/detection-rules/open_redirect_mcgill.yml b/detection-rules/open_redirect_mcgill.yml
index 2b2a145b9b9..c11b91eb90e 100644
--- a/detection-rules/open_redirect_mcgill.yml
+++ b/detection-rules/open_redirect_mcgill.yml
@@ -8,7 +8,12 @@ source: |
and any(body.links, .href_url.domain.domain == 'myalumni.mcgill.ca' and .href_url.path =~ '/redirect.aspx')
and any(body.links, strings.ilike(.href_url.query_params, '*tokenUrl=*'))
and sender.email.domain.root_domain != 'mcgill.ca'
-tags:
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "Open redirect"
- - "Suspicious link"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "5d006c90-a585-576f-84af-d4f9e4365d39"
diff --git a/detection-rules/open_redirect_msn.yml b/detection-rules/open_redirect_msn.yml
index 3a907e0f6e7..ecaf61f8506 100644
--- a/detection-rules/open_redirect_msn.yml
+++ b/detection-rules/open_redirect_msn.yml
@@ -16,7 +16,12 @@ source: |
and .href_url.path =~ "/en-gb/lifestyle/rf-best-products-uk/redirect"
and strings.icontains(.href_url.query_params, "url")
)
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "Open redirect"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "0e0a691a-3bf9-573a-82dd-96b4ef8f96c5"
diff --git a/detection-rules/open_redirect_panera_bread.yml b/detection-rules/open_redirect_panera_bread.yml
index be9359e78aa..acf8a71a3ed 100644
--- a/detection-rules/open_redirect_panera_bread.yml
+++ b/detection-rules/open_redirect_panera_bread.yml
@@ -9,6 +9,12 @@ source: |
type.inbound
and any(body.links, .href_url.domain.domain == 't.e1.panerabread.com' and .href_url.path =~ '/r/')
and sender.email.domain.root_domain != 'panerabread.com'
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Open redirect"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "91a726a2-9f14-54bf-8f2c-fe7ed7ee6142"
diff --git a/detection-rules/open_redirect_samsung.yml b/detection-rules/open_redirect_samsung.yml
index d927e18afdd..2c368baf97b 100644
--- a/detection-rules/open_redirect_samsung.yml
+++ b/detection-rules/open_redirect_samsung.yml
@@ -10,6 +10,12 @@ source: |
type.inbound
and any(body.links, .href_url.domain.domain == 't.info.samsungusa.com' and .href_url.path =~ '/r/')
and sender.email.domain.root_domain != 'samsungusa.com'
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Open redirect"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "164ece9a-26ca-5872-9604-7e948722d627"
diff --git a/detection-rules/open_redirect_slack.yml b/detection-rules/open_redirect_slack.yml
index 779eddba4cf..f2c7632c34c 100644
--- a/detection-rules/open_redirect_slack.yml
+++ b/detection-rules/open_redirect_slack.yml
@@ -7,6 +7,12 @@ source: |
type.inbound
and sender.email.domain.root_domain not in~ ('atlassian.net', 'slack.com', 'soundtrap.com')
and any(body.links, .href_url.domain.domain == 'slack-redir.net' and strings.ilike(.href_url.query_params, '*url=*'))
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Open redirect"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "1b15f4a3-e7ab-56c1-9ba3-f63788389ebe"
diff --git a/detection-rules/open_redirect_snapchat.yml b/detection-rules/open_redirect_snapchat.yml
index 22f77a548f3..20f76e0e19d 100644
--- a/detection-rules/open_redirect_snapchat.yml
+++ b/detection-rules/open_redirect_snapchat.yml
@@ -9,6 +9,12 @@ source: |
type.inbound and
any(body.links, .href_url.domain.domain == "click.snapchat.com") and
sender.email.domain.root_domain != "snapchat.com"
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Open redirect"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "6f363e68-ced9-5f0e-8951-4070623cd705"
diff --git a/detection-rules/open_redirect_ticketmaster.yml b/detection-rules/open_redirect_ticketmaster.yml
index acc098a2241..49c98050f58 100644
--- a/detection-rules/open_redirect_ticketmaster.yml
+++ b/detection-rules/open_redirect_ticketmaster.yml
@@ -10,7 +10,12 @@ source: |
and any(body.links, .href_url.domain.domain == 'links.engage.ticketmaster.com' and .href_url.path =~ '/ctt')
and sender.email.domain.root_domain != 'ticketmaster.com'
and headers.return_path.domain.root_domain != "ticketmaster.com"
-tags:
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "Open redirect"
- - "Suspicious link"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "a5b3901f-e57b-5fb9-a3d7-ee2205cc0c5b"
diff --git a/detection-rules/open_redirect_vk.yml b/detection-rules/open_redirect_vk.yml
index 7bd7c3d2bf5..fec229a9238 100644
--- a/detection-rules/open_redirect_vk.yml
+++ b/detection-rules/open_redirect_vk.yml
@@ -9,7 +9,12 @@ source: |
type.inbound
and any(body.links, .href_url.domain.root_domain == 'vk.com' and .href_url.path =~ '/away.php')
and sender.email.domain.root_domain != 'vk.com'
-tags:
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
- "Open redirect"
- - "Suspicious link"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "6ebd6d42-b0d5-5585-a715-aa939097ed99"
diff --git a/detection-rules/open_redirect_youtube.yml b/detection-rules/open_redirect_youtube.yml
index a09bdd7d568..3edbb9797ee 100644
--- a/detection-rules/open_redirect_youtube.yml
+++ b/detection-rules/open_redirect_youtube.yml
@@ -9,6 +9,12 @@ source: |
type.inbound
and any(body.links, .href_url.domain.root_domain == "youtube.com" and strings.icontains(.href_url.url, "attribution_link?"))
and sender.email.domain.root_domain != "youtube.com"
-tags:
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Open redirect"
+detection_methods:
+ - "Sender analysis"
+ - "URL analysis"
id: "fb33bffe-d3db-5acb-ae19-5ddc6b5b0b01"
diff --git a/detection-rules/paypal_invoice_abuse.yml b/detection-rules/paypal_invoice_abuse.yml
index 4f47dfb2a9a..90549fbc2f0 100644
--- a/detection-rules/paypal_invoice_abuse.yml
+++ b/detection-rules/paypal_invoice_abuse.yml
@@ -8,39 +8,46 @@ references:
- "https://anderegg.ca/2023/02/01/a-novel-paypal-scam"
severity: "medium"
source: |
- type.inbound
- and length(attachments) == 0
- and sender.email.domain.root_domain == "paypal.com"
- and not any(headers.hops, .authentication_results.dmarc == "fail")
- and strings.ilike(body.html.display_text, "*seller note*")
- and (
- (
- //phone number but not 800 number
- regex.contains(body.html.inner_text, '[\s:,-]\+?\d{1,2}[\s:,-]\(?([2-7][0-9]{2}|80[1-9]|8[1-9][0-9])\)?[\s:,-]\d{3}[\s:,-]\d{4}\b')
- and (
- 4 of (
- strings.ilike(body.html.inner_text, '*you did not*'),
- strings.ilike(body.html.inner_text, '*subscription*'),
- strings.ilike(body.html.inner_text, '*antivirus*'),
- strings.ilike(body.html.inner_text, '*order*'),
- strings.ilike(body.html.inner_text, '*support*'),
- strings.ilike(body.html.inner_text, '*receipt*'),
- strings.ilike(body.html.inner_text, '*invoice*'),
- strings.ilike(body.html.inner_text, '*call*'),
- strings.ilike(body.html.inner_text, '*cancel*'),
- strings.ilike(body.html.inner_text, '*renew*'),
- strings.ilike(body.html.inner_text, '*refund*'),
- strings.ilike(body.html.inner_text, '*+1*'),
- strings.ilike(body.html.inner_text, '*help*desk*')
- )
- )
- )
- or (
- //Unicode confusables words obfuscated in note
- regex.contains(body.html.inner_text, '\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹')
- )
- )
-tags:
+ type.inbound
+ and length(attachments) == 0
+ and sender.email.domain.root_domain == "paypal.com"
+ and not any(headers.hops, .authentication_results.dmarc == "fail")
+ and strings.ilike(body.html.display_text, "*seller note*")
+ and (
+ (
+ //phone number but not 800 number
+ regex.contains(body.html.inner_text, '[\s:,-]\+?\d{1,2}[\s:,-]\(?([2-7][0-9]{2}|80[1-9]|8[1-9][0-9])\)?[\s:,-]\d{3}[\s:,-]\d{4}\b')
+ and (
+ 4 of (
+ strings.ilike(body.html.inner_text, '*you did not*'),
+ strings.ilike(body.html.inner_text, '*subscription*'),
+ strings.ilike(body.html.inner_text, '*antivirus*'),
+ strings.ilike(body.html.inner_text, '*order*'),
+ strings.ilike(body.html.inner_text, '*support*'),
+ strings.ilike(body.html.inner_text, '*receipt*'),
+ strings.ilike(body.html.inner_text, '*invoice*'),
+ strings.ilike(body.html.inner_text, '*call*'),
+ strings.ilike(body.html.inner_text, '*cancel*'),
+ strings.ilike(body.html.inner_text, '*renew*'),
+ strings.ilike(body.html.inner_text, '*refund*'),
+ strings.ilike(body.html.inner_text, '*+1*'),
+ strings.ilike(body.html.inner_text, '*help*desk*')
+ )
+ )
+ )
+ or (
+ //Unicode confusables words obfuscated in note
+ regex.contains(body.html.inner_text, '\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹')
+ )
+ )
+attack_types:
+ - "BEC/Fraud"
- "Callback Phishing"
- - "Customer service fraud"
+tactics_and_techniques:
+ - "Evasion"
+ - "Social engineering"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
+ - "Sender analysis"
id: "0ff7a0d4-164d-5ff1-8765-783fa2008b0f"
diff --git a/detection-rules/punycode_sender_domain.yml b/detection-rules/punycode_sender_domain.yml
index bed5f01ddbb..fc010ad69d5 100644
--- a/detection-rules/punycode_sender_domain.yml
+++ b/detection-rules/punycode_sender_domain.yml
@@ -10,8 +10,14 @@ type: "rule"
severity: "high"
source: |
type.inbound and strings.ilike(sender.email.domain.domain, "*xn--*")
-tags:
- - "Suspicious sender"
- - "Punycode"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
- "Lookalike domain"
+ - "Punycode"
+ - "Social engineering"
+detection_methods:
+ - "Sender analysis"
id: "bc3d8db5-dc83-5b77-bee4-9cf62f32b6de"
diff --git a/detection-rules/recipients_undisclosed_compauth_check.yml b/detection-rules/recipients_undisclosed_compauth_check.yml
index 984ec6c09ab..2a6d2c4bbc8 100644
--- a/detection-rules/recipients_undisclosed_compauth_check.yml
+++ b/detection-rules/recipients_undisclosed_compauth_check.yml
@@ -33,9 +33,11 @@ source: |
)
)
)
-tags:
- - "Suspicious sender"
- - "Suspicious headers"
+detection_methods:
+ - "Content analysis"
+ - "Computer Vision"
+ - "Header analysis"
- "Natural Language Understanding"
- - "Machine Learning"
+ - "URL analysis"
+ - "URL screenshot"
id: "34fb65f6-03e8-5752-b602-4f294172b5db"
diff --git a/detection-rules/recipients_undisclosed_free_subdomain_host.yml b/detection-rules/recipients_undisclosed_free_subdomain_host.yml
index 50d2de0c853..192c3709b64 100644
--- a/detection-rules/recipients_undisclosed_free_subdomain_host.yml
+++ b/detection-rules/recipients_undisclosed_free_subdomain_host.yml
@@ -5,7 +5,7 @@ type: "rule"
severity: "medium"
source: |
type.inbound
-
+
and any(body.links,
.href_url.domain.root_domain in $free_subdomain_hosts
and .href_url.domain.subdomain is not null
@@ -17,7 +17,9 @@ source: |
)
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
-tags:
- - "Suspicious link"
- - "Suspicious headers"
+tactics_and_techniques:
+ - "Free subdomain host"
+detection_methods:
+ - "Header analysis"
+ - "URL analysis"
id: "c23d979d-de80-599d-b0ca-c7fef217885e"
diff --git a/detection-rules/recipients_undisclosed_nlu_cred_theft_low_rep_links.yml b/detection-rules/recipients_undisclosed_nlu_cred_theft_low_rep_links.yml
index 728f7c5d427..50ab9cacd78 100644
--- a/detection-rules/recipients_undisclosed_nlu_cred_theft_low_rep_links.yml
+++ b/detection-rules/recipients_undisclosed_nlu_cred_theft_low_rep_links.yml
@@ -1,6 +1,5 @@
name: "Suspicious Recipients pattern with NLU credential theft indicators"
-description: "Detects messages with undisclosed recipients (likely all bcc) and NLU identified a
- credential theft intent with medium to high confidence from a suspicious low reputation link domain"
+description: "Detects messages with undisclosed recipients (likely all bcc) and NLU identified a credential theft intent with medium to high confidence from a suspicious low reputation link domain"
type: "rule"
severity: "medium"
source: |
@@ -12,7 +11,7 @@ source: |
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
and any(body.links, .href_url.domain.domain not in $tranco_1m)
-
+
and (
any(body.links, regex.icontains(.display_text,
'(view|click|download|goto)?(attachment|download|file|online|document)s?')
@@ -25,9 +24,13 @@ source: |
.name in ("cred_theft")
and .confidence in ("medium", "high")
)
-tags:
- - "Suspicious sender"
- - "Suspicious headers"
- - "Suspicious link"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
- "Natural Language Understanding"
+ - "URL analysis"
id: "8e121c3e-b9cf-5aa3-b799-e025a69b7d8c"
diff --git a/detection-rules/sender_new_from_domain_first_time_sender.yml b/detection-rules/sender_new_from_domain_first_time_sender.yml
index 23b3e70fc61..61bf772d666 100644
--- a/detection-rules/sender_new_from_domain_first_time_sender.yml
+++ b/detection-rules/sender_new_from_domain_first_time_sender.yml
@@ -17,7 +17,8 @@ source: |
)
)
tags:
- - "Suspicious sender"
- - "New domain"
- "Attack surface reduction"
+detection_methods:
+ - "Sender analysis"
+ - "Whois"
id: "d87fa543-aabb-55f5-9660-23c9e7a85b2a"
diff --git a/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml b/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml
index 616ee7220d5..ad1dbaa3f82 100644
--- a/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml
+++ b/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml
@@ -1,15 +1,15 @@
name: "Spam: Campaign with excessive display-text and keywords found"
-type: "rule"
description: |
Detects affiliate marketing spam where any link contains display-text greater than 3000 chars and specific values found.
-references:
- - "https://playground.sublimesecurity.com?id=aa90e106-fa06-43f2-aa85-50d69591e073"
+references:
+ - "https://playground.sublimesecurity.com?id=aa90e106-fa06-43f2-aa85-50d69591e073"
+type: "rule"
+severity: "low"
source: |
type.inbound
and length(body.links) > 0
- and (
- any(body.links, length(.display_text) >3000)
- )
+ and any(body.links, length(.display_text) >3000)
+
and any(
body.links, regex.icontains(.display_text, '(\bPassword:)', 'Hi.{0,5}Welcome\b')
)
@@ -24,7 +24,8 @@ source: |
and sender.email.domain.domain not in $sender_domains
)
)
-severity: "low"
-tags:
+attack_types:
- "Spam"
+detection_methods:
+ - "Content analysis"
id: "140e46a1-c8a6-530a-ad88-21b7e4b4b02f"
diff --git a/detection-rules/spam_campaign_excessive_space_obfuscation_free_file_hosting.yml b/detection-rules/spam_campaign_excessive_space_obfuscation_free_file_hosting.yml
index 69aa68b9e0f..027e82f540d 100644
--- a/detection-rules/spam_campaign_excessive_space_obfuscation_free_file_hosting.yml
+++ b/detection-rules/spam_campaign_excessive_space_obfuscation_free_file_hosting.yml
@@ -2,7 +2,7 @@ name: "Spam: Campaign with excessive space/char obfuscation and free file hosted
description: |
This rule detects mass spam campaigns using excessive space padding with
links utilizing free file hosting.
-references:
+references:
- "https://playground.sublimesecurity.com?id=a340c08c-a1d9-41a9-96f8-6d1fe888cb5b"
type: "rule"
severity: "low"
@@ -22,6 +22,11 @@ source: |
)
or sender.email.domain.valid == false
)
-tags:
+attack_types:
- "Spam"
+tactics_and_techniques:
+ - "Free file host"
+detection_methods:
+ - "Content analysis"
+ - "Sender analysis"
id: "122bc0ca-4f9c-5403-9b4e-7e9d47b92ef2"
diff --git a/detection-rules/spam_url_shortener_emojis.yml b/detection-rules/spam_url_shortener_emojis.yml
new file mode 100644
index 00000000000..9e06b64f841
--- /dev/null
+++ b/detection-rules/spam_url_shortener_emojis.yml
@@ -0,0 +1,46 @@
+name: "Spam: URL shortener with short body content and emojis"
+description: |
+ Detects spam from freemail senders, where the majority of the body is a URL shortener and emojis.
+type: "rule"
+severity: "low"
+source: |
+ type.inbound
+
+ // sender is a freemail
+ and sender.email.domain.root_domain in $free_email_providers
+
+ // has a URL shortener
+ and any(body.links,
+ .href_url.domain.root_domain in $url_shorteners
+ )
+
+ // short body, basically just the URL
+ and length(body.plain.raw) < 100
+
+ // has an emoji in the subject or body
+ and (
+ regex.contains(body.plain.raw, '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]')
+ or regex.contains(subject.subject, '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]')
+
+ )
+
+ // first-time sender
+ and (
+ (
+ sender.email.domain.root_domain in $free_email_providers
+ and sender.email.email not in $sender_emails
+ )
+ or (
+ sender.email.domain.root_domain not in $free_email_providers
+ and sender.email.domain.domain not in $sender_domains
+ )
+ )
+attack_types:
+ - "Spam"
+tactics_and_techniques:
+ - "Free email provider"
+detection_methods:
+ - "Content analysis"
+ - "Sender analysis"
+ - "URL analysis"
+id: "b7797e4c-f2d7-5330-8a16-7123fe9bb6a8"
diff --git a/detection-rules/spoof_dropbox.yml b/detection-rules/spoof_dropbox.yml
index b23ab4c22aa..32e7d3076d6 100644
--- a/detection-rules/spoof_dropbox.yml
+++ b/detection-rules/spoof_dropbox.yml
@@ -9,7 +9,13 @@ source: |
and any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail"))
// mitigates situations where an ESG misconfiguration could cause auth failures
and not strings.ends_with(headers.message_id, ".dropbox.com>")
-tags:
- - "Brand impersonation"
- - "Suspicious sender"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Impersonation: Brand"
+ - "Spoofing"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "bd99740a-07e1-5c6f-92f6-b223478effa8"
diff --git a/detection-rules/spoofable_internal_domain_suspicious_signals.yml b/detection-rules/spoofable_internal_domain_suspicious_signals.yml
index 9446d76c936..d9c07b3caf2 100644
--- a/detection-rules/spoofable_internal_domain_suspicious_signals.yml
+++ b/detection-rules/spoofable_internal_domain_suspicious_signals.yml
@@ -73,5 +73,17 @@ source: |
)
tags:
- - "Spoof"
+ - "Attack surface reduction"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Free file host"
+ - "Free subdomain host"
+ - "Social engineering"
+ - "Spoofing"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
+ - "Natural Language Understanding"
+ - "Sender analysis"
id: "40089d69-9150-5270-97f1-9f68e4ca9a5a"
diff --git a/detection-rules/stripe_invoice_abuse.yml b/detection-rules/stripe_invoice_abuse.yml
index ed10ac1a16d..673d28d72b2 100644
--- a/detection-rules/stripe_invoice_abuse.yml
+++ b/detection-rules/stripe_invoice_abuse.yml
@@ -10,7 +10,7 @@ source: |
and length(attachments) == 2
and sender.email.domain.root_domain == "stripe.com"
and any(headers.hops, .authentication_results.dmarc == "pass")
-
+
and any(attachments, .file_extension == "pdf"
and any(file.explode(.),
length(filter(.scan.strings.strings, strings.ilike(.,
@@ -23,7 +23,12 @@ source: |
))) >= 4
)
)
-tags:
+attack_types:
+ - "BEC/Fraud"
- "Callback Phishing"
- - "Customer service fraud"
+tactics_and_techniques:
+ - "PDF"
+detection_methods:
+ - "File analysis"
+ - "Header analysis"
id: "90162d16-0311-579f-b256-b501ca29bb35"
diff --git a/detection-rules/suspicious_request_for_quote_html_smuggling.yml.yml b/detection-rules/suspicious_request_for_quote_html_smuggling.yml
similarity index 92%
rename from detection-rules/suspicious_request_for_quote_html_smuggling.yml.yml
rename to detection-rules/suspicious_request_for_quote_html_smuggling.yml
index d2542148923..616f8ce02c5 100644
--- a/detection-rules/suspicious_request_for_quote_html_smuggling.yml.yml
+++ b/detection-rules/suspicious_request_for_quote_html_smuggling.yml
@@ -6,7 +6,7 @@ type: "rule"
severity: "high"
source: |
type.inbound
-
+
// RFP/RFQ language
and 1 of (
(
@@ -36,7 +36,7 @@ source: |
body.html.display_text, body.plain.raw)).tags,.name == "purchase_order" and .confidence == "high")
)
)
-
+
// HTML smuggling
and any(attachments,
(
@@ -61,10 +61,15 @@ source: |
)
)
)
-tags:
- - "RFP"
- - "RFQ"
- - "Suspicious attachment"
- - "HTML smuggling"
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
+ - "Javascript analysis"
- "Natural Language Understanding"
+ - "URL analysis"
id: "a47a5755-a698-5daf-98b5-21cdcf893ee2"
diff --git a/detection-rules/suspicious_request_for_quote_or_purchase.yml b/detection-rules/suspicious_request_for_quote_or_purchase.yml
index a2cf639cba3..32845806c39 100644
--- a/detection-rules/suspicious_request_for_quote_or_purchase.yml
+++ b/detection-rules/suspicious_request_for_quote_or_purchase.yml
@@ -21,7 +21,7 @@ source: |
and any(headers.reply_to, .email.email not in $recipient_emails)
)
)
-
+
and 2 of (
(
regex.icontains(coalesce(body.html.display_text, body.plain.raw), '(discuss.{0,15}purchas(e|ing))')
@@ -50,10 +50,13 @@ source: |
body.html.display_text, body.plain.raw)).tags,.name == "purchase_order" and .confidence == "high")
)
)
-tags:
- - "Suspicious sender"
- - "Fraud"
- - "RFQ"
- - "RFP"
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Evasion"
+ - "Free email provider"
+detection_methods:
+ - "Content analysis"
- "Natural Language Understanding"
+ - "URL analysis"
id: "2ac0d329-c1fb-5c87-98dd-ea3e5b85377a"
diff --git a/detection-rules/suspicious_sharepoint_file_share_undisclosed_recipients.yml b/detection-rules/suspicious_sharepoint_file_share_undisclosed_recipients.yml
index 35d02c72e37..c150bd7e286 100644
--- a/detection-rules/suspicious_sharepoint_file_share_undisclosed_recipients.yml
+++ b/detection-rules/suspicious_sharepoint_file_share_undisclosed_recipients.yml
@@ -6,13 +6,19 @@ type: "rule"
severity: "medium"
source: |
type.inbound
-
+
// Suspicious recipient pattern
and any(recipients.to, .display_name == "Undisclosed recipients")
and strings.contains(body.html.display_text, "shared a file with you")
and strings.icontains(subject.subject, "shared")
and any(body.links, .href_url.domain.root_domain == "sharepoint.com")
-tags:
- - "Suspicious headers"
- - "Suspicious Link"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
+ - "URL analysis"
id: "998a0826-e917-5a8f-9e15-0f1ded21bf91"
diff --git a/detection-rules/suspicious_shipping_notification.yml b/detection-rules/suspicious_shipping_notification.yml
index 7791cb14d75..3d1f34b6141 100644
--- a/detection-rules/suspicious_shipping_notification.yml
+++ b/detection-rules/suspicious_shipping_notification.yml
@@ -7,20 +7,25 @@ source: |
type.inbound
// contains at least 1 link
and length(body.links) > 0
-
+
and 3 of (
strings.ilike(coalesce(body.html.display_text, body.plain.raw), "*(1)*"),
strings.ilike(coalesce(body.html.display_text, body.plain.raw), "*waiting for delivery*"),
strings.ilike(coalesce(body.html.display_text, body.plain.raw), "*delivery missed*"),
strings.ilike(coalesce(body.html.display_text, body.plain.raw), "*tracking number*")
)
-
+
// urgent/time-sensitive language
and any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).entities, .name == "urgency")
-
+
// email is not personalized with recipients name
and any(recipients.to, any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).entities, .text == ..email.local_part))
-tags:
+attack_types:
+ - "Credential Phishing"
+ - "Spam"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Content analysis"
- "Natural Language Understanding"
- - "Suspicious body"
id: "67748b0a-ac4c-525c-8393-7ed7b1b51f29"
diff --git a/detection-rules/uri_handler_search_ms.yml b/detection-rules/uri_handler_search_ms.yml
new file mode 100644
index 00000000000..3743df9390d
--- /dev/null
+++ b/detection-rules/uri_handler_search_ms.yml
@@ -0,0 +1,27 @@
+name: "URI protocol handler: search-ms"
+description: |
+ Detects HTML attachments using the search-ms URI protocol handler,
+ a technique observed ITW to deliver malicious payloads.
+
+ This rule can be updated to analyze links in PDF attachments and message bodies
+references:
+ - "https://twitter.com/blackorbird/status/1684505999301029888?s=20"
+type: "rule"
+severity: "high"
+source: |
+ type.inbound
+ and any(attachments, .file_type == "html"
+ and any(file.explode(.),
+ any(.scan.strings.strings,
+ regex.contains(., 'search-ms:query.*location:\\\\')
+ )
+ )
+ )
+attack_types:
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "File analysis"
+ - "HTML analysis"
+id: "ee27d9c0-2d7e-5f6d-85be-73f3bf5b7cb1"
diff --git a/detection-rules/urlhaus_malicious_dom_in_body_or_pdf.yml b/detection-rules/urlhaus_malicious_dom_in_body_or_pdf.yml
index 99588db10e5..f5f22f7b46a 100644
--- a/detection-rules/urlhaus_malicious_dom_in_body_or_pdf.yml
+++ b/detection-rules/urlhaus_malicious_dom_in_body_or_pdf.yml
@@ -45,8 +45,14 @@ source: |
)
)
tags:
- - "Suspicious links"
- - "Suspicious attachments"
- - "URLhaus"
- - "Abusech"
+ - "Abusech: URLhaus"
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "PDF"
+detection_methods:
+ - "File analysis"
+ - "Threat intelligence"
+ - "URL analysis"
id: "cfca2986-0daa-582c-a379-fb0a31329847"
diff --git a/detection-rules/vip_impersonation_attack_surface_reduction.yml b/detection-rules/vip_impersonation_attack_surface_reduction.yml
index 56290b850b9..7b1babdc6ee 100644
--- a/detection-rules/vip_impersonation_attack_surface_reduction.yml
+++ b/detection-rules/vip_impersonation_attack_surface_reduction.yml
@@ -1,52 +1,57 @@
name: "VIP / Executive impersonation (first-time sender, unsolicited)"
description: |
- Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before.
+ Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before.
- The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work.
- Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
+ The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work.
+ Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
- This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender.
+ This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender.
- Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
+ Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
type: "rule"
severity: "high"
-source: |
- type.inbound
+source: |
+ type.inbound
- and any($org_vips, .display_name == sender.display_name)
+ and any($org_vips, .display_name == sender.display_name)
- and (
- // ignore personal <> work emails
- // where the sender and mailbox's display name are the same
- length(recipients.to) > 1 or length(recipients.cc) > 1
- or sender.display_name != mailbox.display_name
- )
+ and (
+ // ignore personal <> work emails
+ // where the sender and mailbox's display name are the same
+ length(recipients.to) > 1 or length(recipients.cc) > 1
+ or sender.display_name != mailbox.display_name
+ )
- // first-time sender
- and (
- (
- sender.email.domain.root_domain in $free_email_providers
- and sender.email.email not in $sender_emails
- )
- or (
- sender.email.domain.root_domain not in $free_email_providers
- and sender.email.domain.domain not in $sender_domains
- )
- )
+ // first-time sender
+ and (
+ (
+ sender.email.domain.root_domain in $free_email_providers
+ and sender.email.email not in $sender_emails
+ )
+ or (
+ sender.email.domain.root_domain not in $free_email_providers
+ and sender.email.domain.domain not in $sender_domains
+ )
+ )
- // unsolicited
- and (
- (
- sender.email.domain.root_domain in $free_email_providers
- and sender.email.email not in $recipient_emails
- )
- or (
- sender.email.domain.root_domain not in $free_email_providers
- and sender.email.domain.domain not in $recipient_domains
- )
- )
+ // unsolicited
+ and (
+ (
+ sender.email.domain.root_domain in $free_email_providers
+ and sender.email.email not in $recipient_emails
+ )
+ or (
+ sender.email.domain.root_domain not in $free_email_providers
+ and sender.email.domain.domain not in $recipient_domains
+ )
+ )
tags:
- - "VIP impersonation"
- - "Executive impersonation"
- "Attack surface reduction"
+attack_types:
+ - "BEC/Fraud"
+tactics_and_techniques:
+ - "Impersonation: VIP"
+detection_methods:
+ - "Header analysis"
+ - "Sender analysis"
id: "e42c84b7-9d50-5870-9a5d-311670a14bc1"
diff --git a/insights/content/tracking_pixel.yml b/insights/content/tracking_pixel.yml
new file mode 100644
index 00000000000..bf77570e07c
--- /dev/null
+++ b/insights/content/tracking_pixel.yml
@@ -0,0 +1,16 @@
+name: "Tracking pixel in HTML body"
+type: "query"
+source: |
+ (
+ // standard html
+ regex.contains(body.html.raw,
+ ']*?width="1(px)?"[^>]*?height="1(px)?"[^>]*?style="[^"]*(visibility:hidden|display:none)[^"]*"[^>]*?>'
+ )
+ // handle quoted printable variants
+ or regex.contains(body.html.raw,
+ ''
+ )
+ )
+severity: "low"
+tags:
+ - "Tracking pixel"
diff --git a/signals/attachment_count.yml b/signals/attachments/attachment_count.yml
similarity index 100%
rename from signals/attachment_count.yml
rename to signals/attachments/attachment_count.yml
diff --git a/signals/attachment_filesizes.yml b/signals/attachments/attachment_filesizes.yml
similarity index 100%
rename from signals/attachment_filesizes.yml
rename to signals/attachments/attachment_filesizes.yml
diff --git a/signals/content/body_tracking_pixel.yml b/signals/content/body_tracking_pixel.yml
new file mode 100644
index 00000000000..63ea71b5eef
--- /dev/null
+++ b/signals/content/body_tracking_pixel.yml
@@ -0,0 +1,13 @@
+name: "Tracking pixel in HTML body"
+type: "query"
+source: |
+ (
+ // standard html
+ regex.contains(body.html.raw,
+ ']*?width="1(px)?"[^>]*?height="1(px)?"[^>]*?style="[^"]*(visibility:hidden|display:none)[^"]*"[^>]*?>'
+ )
+ // handle quoted printable variants
+ or regex.contains(body.html.raw,
+ ''
+ )
+ )
diff --git a/signals/headers/headers_fake_thread.yml b/signals/headers/headers_fake_thread.yml
new file mode 100644
index 00000000000..4573126026c
--- /dev/null
+++ b/signals/headers/headers_fake_thread.yml
@@ -0,0 +1,9 @@
+name: "Fake message thread"
+type: "query"
+source: |
+ type.inbound
+ and strings.istarts_with(subject.subject, "RE:")
+ and (
+ length(headers.references) == 0
+ or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+ )
diff --git a/signals/headers/headers_gmail_autoforward.yml b/signals/headers/headers_gmail_autoforward.yml
new file mode 100644
index 00000000000..b8e4abf63ba
--- /dev/null
+++ b/signals/headers/headers_gmail_autoforward.yml
@@ -0,0 +1,7 @@
+name: "Gmail Auto-Forward"
+type: "query"
+source: |
+ any([headers.return_path.email],
+ strings.ilike(headers.return_path.local_part, "*+caf_=*") and type.inbound
+ )
+
diff --git a/signals/headers/headers_microsoft_scl.yml b/signals/headers/headers_microsoft_scl.yml
new file mode 100644
index 00000000000..6f501f14a24
--- /dev/null
+++ b/signals/headers/headers_microsoft_scl.yml
@@ -0,0 +1,8 @@
+name: "Microsoft SCL"
+type: "query"
+source: |
+ filter(
+ map(headers.hops,
+ map(filter(.fields, .name =~ "X-ms-exchange-organization-scl"), .value)
+ ), length(.) > 0
+ )
diff --git a/signals/headers/headers_mismatched_from_reply_to.yml b/signals/headers/headers_mismatched_from_reply_to.yml
new file mode 100644
index 00000000000..b6c05c0dace
--- /dev/null
+++ b/signals/headers/headers_mismatched_from_reply_to.yml
@@ -0,0 +1,7 @@
+name: "Mismatched From and Reply-to Doms"
+type: "query"
+source: |
+ any(headers.reply_to,
+ length(headers.reply_to) > 0
+ and all(headers.reply_to, .email.domain.root_domain != sender.email.domain.root_domain)
+ )
diff --git a/signals/headers/headers_mismatched_from_return_path.yml b/signals/headers/headers_mismatched_from_return_path.yml
new file mode 100644
index 00000000000..4557ab04dad
--- /dev/null
+++ b/signals/headers/headers_mismatched_from_return_path.yml
@@ -0,0 +1,8 @@
+name: "Mismatched From and Return-Path"
+type: "query"
+source: |
+ any([headers.return_path.email],
+ (headers.return_path.email is not null
+ and headers.return_path.email != sender.email.email
+ and type.inbound)
+ )
diff --git a/signals/headers/headers_phishing_simulation_cofense.yml b/signals/headers/headers_phishing_simulation_cofense.yml
new file mode 100644
index 00000000000..1a6427e8350
--- /dev/null
+++ b/signals/headers/headers_phishing_simulation_cofense.yml
@@ -0,0 +1,16 @@
+name: "Cofense PhishMe phishing simulation"
+type: "query"
+source: |
+ any(headers.ips, .ip in (
+ "13.113.166.58",
+ "35.182.57.68",
+ "52.1.96.230",
+ "52.20.128.29",
+ "52.20.155.14",
+ "52.28.182.143",
+ "52.28.252.18",
+ "52.29.24.224",
+ "52.29.5.79",
+ "52.5.119.169",
+ "52.62.59.61",
+ ))
diff --git a/signals/headers/headers_phishing_simulation_hoxhunt.yml b/signals/headers/headers_phishing_simulation_hoxhunt.yml
new file mode 100644
index 00000000000..97463d5042a
--- /dev/null
+++ b/signals/headers/headers_phishing_simulation_hoxhunt.yml
@@ -0,0 +1,4 @@
+name: "HoxHunt phishing simulation"
+type: "query"
+source: |
+ any(headers.hops, strings.ends_with(.signature.domain, ".hoxhuntsigning.com"))
diff --git a/signals/headers/headers_phishing_simulation_knowbe4.yml b/signals/headers/headers_phishing_simulation_knowbe4.yml
new file mode 100644
index 00000000000..9fc45b7a381
--- /dev/null
+++ b/signals/headers/headers_phishing_simulation_knowbe4.yml
@@ -0,0 +1,4 @@
+name: "KnowBe4 phishing simulation"
+type: "query"
+source: |
+ any(headers.ips, regex.match(.ip, '147\.10\.167\.([0-9]|[0-5][0-9]|6[0-3])', '23.21.109.(197|212)', '52.49.(201.246|235.189)'))
diff --git a/signals/headers/headers_undisclosed_recipients.yml b/signals/headers/headers_undisclosed_recipients.yml
new file mode 100644
index 00000000000..0f2e86ad8f3
--- /dev/null
+++ b/signals/headers/headers_undisclosed_recipients.yml
@@ -0,0 +1,6 @@
+name: "Undisclosed Recipients"
+type: "query"
+source: |
+ any([recipients.to, recipients.bcc, recipients.cc],
+ any(., .display_name =~ "Undisclosed recipients:")
+ )
diff --git a/signals/headers/headers_x_originating_ip.yml b/signals/headers/headers_x_originating_ip.yml
new file mode 100644
index 00000000000..07ee4ec53a1
--- /dev/null
+++ b/signals/headers/headers_x_originating_ip.yml
@@ -0,0 +1,4 @@
+name: "X-Originating-IP"
+type: "query"
+source: |
+ headers.x_originating_ip.ip
diff --git a/signals/links/link_google_open_redirect.yml b/signals/links/link_google_open_redirect.yml
index 2e6a6d2e877..5d5aa0ac8e5 100644
--- a/signals/links/link_google_open_redirect.yml
+++ b/signals/links/link_google_open_redirect.yml
@@ -2,4 +2,4 @@ name: "Link: Google Open Redirect"
type: "query"
source: |
length(filter(body.links,
- regex.icontains(.href_url.url, "https?://(www.)?google.[a-zA-Z]{2,}/url\\?q=https?://.+")))
+ regex.icontains(.href_url.url, "https?://(www.)?google.[a-zA-Z]{2,}/url\\?(hl=.{2})?&q=http(s)?://")))