diff --git a/detection-rules/attachment_html_smuggling_body_onload.yml b/detection-rules/attachment_html_smuggling_body_onload.yml
new file mode 100644
index 00000000000..2b401202409
--- /dev/null
+++ b/detection-rules/attachment_html_smuggling_body_onload.yml
@@ -0,0 +1,49 @@
+name: "Attachment: HTML smuggling 'body onload' linking to suspicious destination"
+description: |
+ Potential HTML Smuggling.
+ This rule inspects HTML attachments that contain a single link and leveraging an HTML body onload event. The linked domain must be in the URLhaus trusted repoters list, or have a suspicious TLD.
+type: "rule"
+severity: "high"
+source: |
+ type.inbound
+ and any(attachments,
+ (
+ .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
+ or (
+ .file_extension is null
+ and .file_type == "unknown"
+ and .content_type == "application/octet-stream"
+ )
+ or .file_extension in~ $file_extensions_common_archives
+ or .file_type == "html"
+ or .content_type == "text/html"
+ )
+ and any(file.explode(.),
+ not length(.scan.url.invalid_urls) > 0
+ and length(.scan.url.urls) == 1
+ and any(.scan.strings.strings, strings.ilike(., "*body onload*"))
+ and (
+ any(.scan.url.urls,
+ .domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
+
+ // To-do uncomment below when list is created
+ //or .domain.root_domain in $suspicious_root_domains
+ or .domain.tld in $suspicious_tlds
+ )
+ )
+ )
+ )
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
+ - "Link analysis"
+id: "c1e2beed-e71e-58d2-b922-9601337645b2"
diff --git a/detection-rules/attachment_html_smuggling_decimal_encoding.yml b/detection-rules/attachment_html_smuggling_decimal_encoding.yml
new file mode 100644
index 00000000000..236d94bf693
--- /dev/null
+++ b/detection-rules/attachment_html_smuggling_decimal_encoding.yml
@@ -0,0 +1,39 @@
+name: "Attachment: HTML smuggling with decimal encoding"
+description: |
+ Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures.
+type: "rule"
+severity: "high"
+source: |
+ type.inbound
+ and any(attachments,
+ (
+ .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
+ or (
+ .file_extension is null
+ and .file_type == "unknown"
+ and .content_type == "application/octet-stream"
+ )
+ or .file_extension in~ $file_extensions_common_archives
+ or .file_type == "html"
+ or .content_type == "text/html"
+ )
+ and any(file.explode(.),
+ // suspicious identifiers
+ any(.scan.strings.strings,
+ regex.contains(., '(\d{2,3},){60,}')
+ )
+ )
+ )
+attack_types:
+ - "Credential Phishing"
+ - "Malware/Ransomware"
+tactics_and_techniques:
+ - "Evasion"
+ - "HTML smuggling"
+ - "Scripting"
+detection_methods:
+ - "Archive analysis"
+ - "Content analysis"
+ - "File analysis"
+ - "HTML analysis"
+id: "f99213c4-7031-50b1-ae81-b45f790d3fa4"
diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml
index 1c509c258c0..16fb9df2d5f 100644
--- a/detection-rules/body_business_email_compromise_new_sender.yml
+++ b/detection-rules/body_business_email_compromise_new_sender.yml
@@ -10,7 +10,12 @@ source: |
)
// negating legit replies
and not (
- strings.istarts_with(subject.subject, "RE:")
+ (
+ strings.istarts_with(subject.subject, "RE:")
+ // out of office auto-reply
+ // the NLU model will handle these better natively soon
+ or strings.istarts_with(subject.subject, "Automatic reply:")
+ )
and (
length(headers.references) > 0
or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml
index 0df96e25fe3..a5eb16d114e 100644
--- a/detection-rules/link_credential_phishing_voicemail_language.yml
+++ b/detection-rules/link_credential_phishing_voicemail_language.yml
@@ -25,7 +25,11 @@ source: |
all(body.links,
.href_url.domain.root_domain != sender.email.domain.root_domain
and .href_url.domain.root_domain not in $org_domains
- and .href_url.domain.root_domain not in ("unitelvoice.com", "googleapis.com", "dialmycalls.com")
+ and .href_url.domain.root_domain not in (
+ "unitelvoice.com",
+ "googleapis.com",
+ "dialmycalls.com"
+ )
)
),
(
@@ -34,6 +38,20 @@ source: |
),
)
and sender.email.domain.root_domain not in ("magicjack.com", "unitelvoice.com")
+
+ // negating legit replies
+ and not (
+ (
+ strings.istarts_with(subject.subject, "RE:")
+ // out of office auto-reply
+ // the NLU model will handle these better natively soon
+ or strings.istarts_with(subject.subject, "Automatic reply:")
+ )
+ and (
+ length(headers.references) > 0
+ or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+ )
+ )
and (
(
sender.email.domain.root_domain in $free_email_providers
diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml
index 3579bb944e5..5e467937174 100644
--- a/detection-rules/link_microsoft_low_reputation.yml
+++ b/detection-rules/link_microsoft_low_reputation.yml
@@ -3,134 +3,139 @@ description: "Detects low reputation links with Microsoft specific indicators in
type: "rule"
severity: "medium"
source: |
- type.inbound
- // suspicious link
- and any(body.links,
- (
- .href_url.domain.root_domain not in $tranco_1m
- or .href_url.domain.domain in $free_file_hosts
- or .href_url.domain.root_domain in $free_subdomain_hosts
- or .href_url.domain.domain in $url_shorteners
- or
-
- // mass mailer link, masks the actual URL
- .href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net")
-
- // Google AMP redirect
- or (
- .href_url.domain.sld == "google"
- and strings.starts_with(.href_url.path, "/amp/")
- )
- )
-
- // exclude sources of potential FPs
- and .href_url.domain.root_domain not in (
- "svc.ms",
- "sharepoint.com",
- "1drv.ms",
- "microsoft.com"
- )
- )
-
- // not a reply
- and (
- length(headers.references) == 0
- or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
- )
-
- // Microsoft logo
- and (
- any(attachments,
- .file_type in $file_types_images
- and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
- )
- or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft"))
- )
-
- // suspicious content
- and (
- (
- strings.ilike(body.plain.raw,
- "*password*",
- "*document*",
- "*voicemail*",
- "*cache*",
- "*fax*",
- "*storage*",
- "*quota*",
- "*messages*"
- )
- and strings.ilike(body.plain.raw,
- "*terminated*",
- "*review*",
- "*expire*",
- "*click*",
- "*view*",
- "*exceed*",
- "*clear*",
- "*only works*",
- "*failed*",
- "*deleted*"
- )
- )
- or (
- any(attachments,
+ type.inbound
+ // suspicious link
+ and any(body.links,
+ (
+ .href_url.domain.root_domain not in $tranco_1m
+ or .href_url.domain.domain in $free_file_hosts
+ or .href_url.domain.root_domain in $free_subdomain_hosts
+ or .href_url.domain.domain in $url_shorteners
+ or
+
+ // mass mailer link, masks the actual URL
+ .href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net")
+
+ // Google AMP redirect
+ or (.href_url.domain.sld == "google" and strings.starts_with(.href_url.path, "/amp/"))
+ )
+
+ // exclude sources of potential FPs
+ and (
+ .href_url.domain.root_domain not in (
+ "svc.ms",
+ "sharepoint.com",
+ "1drv.ms",
+ "microsoft.com",
+ "aka.ms",
+ "msftauthimages.net"
+ )
+ or any(body.links, .href_url.domain.domain in $free_file_hosts)
+ )
+ )
+
+ // not a reply
+ and (
+ length(headers.references) == 0
+ or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+ )
+
+ // Microsoft logo
+ and (
+ any(attachments,
+ .file_type in $file_types_images
+ and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
+ )
+ or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft"))
+ )
+
+ // suspicious content
+ and (
+ (
+ strings.ilike(body.plain.raw,
+ "*password*",
+ "*document*",
+ "*voicemail*",
+ "*cache*",
+ "*fax*",
+ "*storage*",
+ "*quota*",
+ "*messages*"
+ )
+ and strings.ilike(body.plain.raw,
+ "*terminated*",
+ "*review*",
+ "*expire*",
+ "*click*",
+ "*view*",
+ "*exceed*",
+ "*clear*",
+ "*only works*",
+ "*failed*",
+ "*deleted*"
+ )
+ )
+ or (
+ any(attachments,
+ .file_type in $file_types_images
+ and any(file.explode(.),
+ strings.ilike(.scan.ocr.raw,
+ "*password*",
+ "*document*",
+ "*voicemail*",
+ "*cache*",
+ "*fax*",
+ "*storage*",
+ "*quota*",
+ "*messages*"
+ )
+ and strings.ilike(.scan.ocr.raw,
+ "*terminated*",
+ "*review*",
+ "*expire*",
+ "*click*",
+ "*view*",
+ "*exceed*",
+ "*clear*",
+ "*only works*",
+ "*failed*",
+ "*deleted*"
+ )
+ )
+ )
+ )
+ )
+ and (
+ any(ml.nlu_classifier(body.current_thread.text).intents,
+ .name == "cred_theft" and .confidence in~ ("medium", "high")
+ )
+ or any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
- strings.ilike(.scan.ocr.raw,
- "*password*",
- "*document*",
- "*voicemail*",
- "*cache*",
- "*fax*",
- "*storage*",
- "*quota*",
- "*messages*"
- )
- and strings.ilike(.scan.ocr.raw,
- "*terminated*",
- "*review*",
- "*expire*",
- "*click*",
- "*view*",
- "*exceed*",
- "*clear*",
- "*only works*",
- "*failed*",
- "*deleted*"
+ any(ml.nlu_classifier(.scan.ocr.raw).intents,
+ .name == "cred_theft" and .confidence in ("medium", "high")
)
)
- )
- )
- )
- and (
- any(ml.nlu_classifier(body.html.inner_text).intents,
- .name == "cred_theft" and .confidence in~ ("medium", "high")
- )
- or any(attachments,
- .file_type in $file_types_images
- and any(file.explode(.),
- any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft")
- )
- )
- or (
- any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency")
- and not any(ml.nlu_classifier(body.current_thread.text).intents,
- .name == "benign" and .confidence == "high"
- )
- )
- )
- and sender.email.domain.root_domain not in (
- "bing.com",
- "microsoft.com",
- "microsoftonline.com",
- "microsoftsupport.com",
- "microsoft365.com",
- "office.com",
- "onedrive.com",
- "sharepointonline.com",
- "yammer.com"
- )
+ )
+ or (
+ any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency")
+ and not any(ml.nlu_classifier(body.current_thread.text).intents,
+ .name == "benign" and .confidence == "high"
+ )
+ )
+ )
+ and sender.email.domain.root_domain not in (
+ "bing.com",
+ "microsoft.com",
+ "microsoftonline.com",
+ "microsoftsupport.com",
+ "microsoft365.com",
+ "office.com",
+ "onedrive.com",
+ "sharepointonline.com",
+ "yammer.com"
+ )
+
attack_types:
- "Credential Phishing"
tactics_and_techniques:
diff --git a/detection-rules/link_suspicious_language_undisclosed_recipients.yml b/detection-rules/link_suspicious_language_undisclosed_recipients.yml
new file mode 100644
index 00000000000..7fcb7a130ba
--- /dev/null
+++ b/detection-rules/link_suspicious_language_undisclosed_recipients.yml
@@ -0,0 +1,61 @@
+name: "Credential Phishing: Suspicious language, link, recipients and other indicators"
+description: |
+ The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from a first-time sender.
+type: "rule"
+severity: "medium"
+source: |
+ type.inbound
+
+ // no recipients defined
+ and (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients"))
+ and length(recipients.cc) == 0
+ and length(recipients.bcc) == 0
+
+ and any(body.links,
+
+ // suspicious link
+ // we've particularly seen 1drv.ms abused
+ // if using the full list causes FPs, we can reduce the
+ // scope to a hard-coded list or add exclusions
+ (
+ .href_url.domain.domain in $free_file_hosts
+ or .href_url.domain.root_domain in $free_subdomain_hosts
+ )
+
+ // link text is in all caps
+ and regex.match(.display_text, "[A-Z ]+")
+ )
+
+ // any confidence cred_theft classification
+ and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "cred_theft")
+
+ // 'org' entity is in all caps
+ and any(ml.nlu_classifier(body.current_thread.text).entities,
+ .name == "org" and regex.match(.text, "[A-Z ]+")
+ )
+
+ // subject is in all caps
+ and regex.match(subject.subject, "[A-Z ]+")
+
+ // first-time sender
+ and (
+ (
+ sender.email.domain.root_domain in $free_email_providers
+ and sender.email.email not in $sender_emails
+ )
+ or (
+ sender.email.domain.root_domain not in $free_email_providers
+ and sender.email.domain.domain not in $sender_domains
+ )
+ )
+attack_types:
+ - "Credential Phishing"
+tactics_and_techniques:
+ - "Evasion"
+detection_methods:
+ - "Content analysis"
+ - "Header analysis"
+ - "Natural Language Understanding"
+ - "Sender analysis"
+ - "URL analysis"
+id: "dcb39190-7ea1-5e82-8d6b-0242affdb6e3"