From 822924b703455ea7b259c63fe27699716f44bf40 Mon Sep 17 00:00:00 2001 From: Josh Kamdjou Date: Wed, 20 Sep 2023 08:35:43 -0700 Subject: [PATCH 1/6] Exclude automatic out of office replies (#801) --- .../body_business_email_compromise_new_sender.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml index 1c509c258c0..16fb9df2d5f 100644 --- a/detection-rules/body_business_email_compromise_new_sender.yml +++ b/detection-rules/body_business_email_compromise_new_sender.yml @@ -10,7 +10,12 @@ source: | ) // negating legit replies and not ( - strings.istarts_with(subject.subject, "RE:") + ( + strings.istarts_with(subject.subject, "RE:") + // out of office auto-reply + // the NLU model will handle these better natively soon + or strings.istarts_with(subject.subject, "Automatic reply:") + ) and ( length(headers.references) > 0 or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) From ea97cf31683043e62e05c18ad0148230c65b6ced Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 20 Sep 2023 12:03:10 -0400 Subject: [PATCH 2/6] Negate FP: link_credential_phishing_voicemail_language.yml (#803) --- ...credential_phishing_voicemail_language.yml | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml index 0df96e25fe3..a5eb16d114e 100644 --- a/detection-rules/link_credential_phishing_voicemail_language.yml +++ b/detection-rules/link_credential_phishing_voicemail_language.yml @@ -25,7 +25,11 @@ source: | all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain and .href_url.domain.root_domain not in $org_domains - and .href_url.domain.root_domain not in ("unitelvoice.com", "googleapis.com", "dialmycalls.com") + and .href_url.domain.root_domain not in ( + "unitelvoice.com", + "googleapis.com", + "dialmycalls.com" + ) ) ), ( @@ -34,6 +38,20 @@ source: | ), ) and sender.email.domain.root_domain not in ("magicjack.com", "unitelvoice.com") + + // negating legit replies + and not ( + ( + strings.istarts_with(subject.subject, "RE:") + // out of office auto-reply + // the NLU model will handle these better natively soon + or strings.istarts_with(subject.subject, "Automatic reply:") + ) + and ( + length(headers.references) > 0 + or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) + ) and ( ( sender.email.domain.root_domain in $free_email_providers From d7b5d348325202ca46d9d0749c4be897c99da121 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 20 Sep 2023 12:54:36 -0400 Subject: [PATCH 3/6] New Rule: Credential Phishing: Suspicious language, link, recipients and other indicators (#804) Co-authored-by: ID Generator --- ...icious_language_undisclosed_recipients.yml | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 detection-rules/link_suspicious_language_undisclosed_recipients.yml diff --git a/detection-rules/link_suspicious_language_undisclosed_recipients.yml b/detection-rules/link_suspicious_language_undisclosed_recipients.yml new file mode 100644 index 00000000000..7fcb7a130ba --- /dev/null +++ b/detection-rules/link_suspicious_language_undisclosed_recipients.yml @@ -0,0 +1,61 @@ +name: "Credential Phishing: Suspicious language, link, recipients and other indicators" +description: | + The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from a first-time sender. +type: "rule" +severity: "medium" +source: | + type.inbound + + // no recipients defined + and (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients")) + and length(recipients.cc) == 0 + and length(recipients.bcc) == 0 + + and any(body.links, + + // suspicious link + // we've particularly seen 1drv.ms abused + // if using the full list causes FPs, we can reduce the + // scope to a hard-coded list or add exclusions + ( + .href_url.domain.domain in $free_file_hosts + or .href_url.domain.root_domain in $free_subdomain_hosts + ) + + // link text is in all caps + and regex.match(.display_text, "[A-Z ]+") + ) + + // any confidence cred_theft classification + and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "cred_theft") + + // 'org' entity is in all caps + and any(ml.nlu_classifier(body.current_thread.text).entities, + .name == "org" and regex.match(.text, "[A-Z ]+") + ) + + // subject is in all caps + and regex.match(subject.subject, "[A-Z ]+") + + // first-time sender + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Sender analysis" + - "URL analysis" +id: "dcb39190-7ea1-5e82-8d6b-0242affdb6e3" From a979ae94d59db87d9bf9d34df96705cb986cfeab Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 20 Sep 2023 13:12:05 -0400 Subject: [PATCH 4/6] FP fix: Update link_microsoft_low_reputation.yml (#791) Co-authored-by: Josh Kamdjou --- .../link_microsoft_low_reputation.yml | 253 +++++++++--------- 1 file changed, 129 insertions(+), 124 deletions(-) diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml index 3579bb944e5..5e467937174 100644 --- a/detection-rules/link_microsoft_low_reputation.yml +++ b/detection-rules/link_microsoft_low_reputation.yml @@ -3,134 +3,139 @@ description: "Detects low reputation links with Microsoft specific indicators in type: "rule" severity: "medium" source: | - type.inbound - // suspicious link - and any(body.links, - ( - .href_url.domain.root_domain not in $tranco_1m - or .href_url.domain.domain in $free_file_hosts - or .href_url.domain.root_domain in $free_subdomain_hosts - or .href_url.domain.domain in $url_shorteners - or - - // mass mailer link, masks the actual URL - .href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net") - - // Google AMP redirect - or ( - .href_url.domain.sld == "google" - and strings.starts_with(.href_url.path, "/amp/") - ) - ) - - // exclude sources of potential FPs - and .href_url.domain.root_domain not in ( - "svc.ms", - "sharepoint.com", - "1drv.ms", - "microsoft.com" - ) - ) - - // not a reply - and ( - length(headers.references) == 0 - or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) - ) - - // Microsoft logo - and ( - any(attachments, - .file_type in $file_types_images - and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft")) - ) - or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft")) - ) - - // suspicious content - and ( - ( - strings.ilike(body.plain.raw, - "*password*", - "*document*", - "*voicemail*", - "*cache*", - "*fax*", - "*storage*", - "*quota*", - "*messages*" - ) - and strings.ilike(body.plain.raw, - "*terminated*", - "*review*", - "*expire*", - "*click*", - "*view*", - "*exceed*", - "*clear*", - "*only works*", - "*failed*", - "*deleted*" - ) - ) - or ( - any(attachments, + type.inbound + // suspicious link + and any(body.links, + ( + .href_url.domain.root_domain not in $tranco_1m + or .href_url.domain.domain in $free_file_hosts + or .href_url.domain.root_domain in $free_subdomain_hosts + or .href_url.domain.domain in $url_shorteners + or + + // mass mailer link, masks the actual URL + .href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net") + + // Google AMP redirect + or (.href_url.domain.sld == "google" and strings.starts_with(.href_url.path, "/amp/")) + ) + + // exclude sources of potential FPs + and ( + .href_url.domain.root_domain not in ( + "svc.ms", + "sharepoint.com", + "1drv.ms", + "microsoft.com", + "aka.ms", + "msftauthimages.net" + ) + or any(body.links, .href_url.domain.domain in $free_file_hosts) + ) + ) + + // not a reply + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) + + // Microsoft logo + and ( + any(attachments, + .file_type in $file_types_images + and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft")) + ) + or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft")) + ) + + // suspicious content + and ( + ( + strings.ilike(body.plain.raw, + "*password*", + "*document*", + "*voicemail*", + "*cache*", + "*fax*", + "*storage*", + "*quota*", + "*messages*" + ) + and strings.ilike(body.plain.raw, + "*terminated*", + "*review*", + "*expire*", + "*click*", + "*view*", + "*exceed*", + "*clear*", + "*only works*", + "*failed*", + "*deleted*" + ) + ) + or ( + any(attachments, + .file_type in $file_types_images + and any(file.explode(.), + strings.ilike(.scan.ocr.raw, + "*password*", + "*document*", + "*voicemail*", + "*cache*", + "*fax*", + "*storage*", + "*quota*", + "*messages*" + ) + and strings.ilike(.scan.ocr.raw, + "*terminated*", + "*review*", + "*expire*", + "*click*", + "*view*", + "*exceed*", + "*clear*", + "*only works*", + "*failed*", + "*deleted*" + ) + ) + ) + ) + ) + and ( + any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "cred_theft" and .confidence in~ ("medium", "high") + ) + or any(attachments, .file_type in $file_types_images and any(file.explode(.), - strings.ilike(.scan.ocr.raw, - "*password*", - "*document*", - "*voicemail*", - "*cache*", - "*fax*", - "*storage*", - "*quota*", - "*messages*" - ) - and strings.ilike(.scan.ocr.raw, - "*terminated*", - "*review*", - "*expire*", - "*click*", - "*view*", - "*exceed*", - "*clear*", - "*only works*", - "*failed*", - "*deleted*" + any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "cred_theft" and .confidence in ("medium", "high") ) ) - ) - ) - ) - and ( - any(ml.nlu_classifier(body.html.inner_text).intents, - .name == "cred_theft" and .confidence in~ ("medium", "high") - ) - or any(attachments, - .file_type in $file_types_images - and any(file.explode(.), - any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft") - ) - ) - or ( - any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency") - and not any(ml.nlu_classifier(body.current_thread.text).intents, - .name == "benign" and .confidence == "high" - ) - ) - ) - and sender.email.domain.root_domain not in ( - "bing.com", - "microsoft.com", - "microsoftonline.com", - "microsoftsupport.com", - "microsoft365.com", - "office.com", - "onedrive.com", - "sharepointonline.com", - "yammer.com" - ) + ) + or ( + any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency") + and not any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "benign" and .confidence == "high" + ) + ) + ) + and sender.email.domain.root_domain not in ( + "bing.com", + "microsoft.com", + "microsoftonline.com", + "microsoftsupport.com", + "microsoft365.com", + "office.com", + "onedrive.com", + "sharepointonline.com", + "yammer.com" + ) + attack_types: - "Credential Phishing" tactics_and_techniques: From eb1e15e181786b3fd462b80a509410ff6c885eb4 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 21 Sep 2023 14:46:24 -0400 Subject: [PATCH 5/6] New Rule: HTML smuggling with decimal encoding (#806) Co-authored-by: ID Generator --- ...chment_html_smuggling_decimal_encoding.yml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 detection-rules/attachment_html_smuggling_decimal_encoding.yml diff --git a/detection-rules/attachment_html_smuggling_decimal_encoding.yml b/detection-rules/attachment_html_smuggling_decimal_encoding.yml new file mode 100644 index 00000000000..236d94bf693 --- /dev/null +++ b/detection-rules/attachment_html_smuggling_decimal_encoding.yml @@ -0,0 +1,39 @@ +name: "Attachment: HTML smuggling with decimal encoding" +description: | + Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures. +type: "rule" +severity: "high" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml") + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + ) + or .file_extension in~ $file_extensions_common_archives + or .file_type == "html" + or .content_type == "text/html" + ) + and any(file.explode(.), + // suspicious identifiers + any(.scan.strings.strings, + regex.contains(., '(\d{2,3},){60,}') + ) + ) + ) +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" +id: "f99213c4-7031-50b1-ae81-b45f790d3fa4" From f6052cbd996c95ed67a4200af7f65dc6ec3c1b0e Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 21 Sep 2023 18:12:26 -0400 Subject: [PATCH 6/6] New Rule: Attachment: HTML smuggling 'body onload' linking to suspicious destination (#808) Co-authored-by: ID Generator --- .../attachment_html_smuggling_body_onload.yml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 detection-rules/attachment_html_smuggling_body_onload.yml diff --git a/detection-rules/attachment_html_smuggling_body_onload.yml b/detection-rules/attachment_html_smuggling_body_onload.yml new file mode 100644 index 00000000000..2b401202409 --- /dev/null +++ b/detection-rules/attachment_html_smuggling_body_onload.yml @@ -0,0 +1,49 @@ +name: "Attachment: HTML smuggling 'body onload' linking to suspicious destination" +description: | + Potential HTML Smuggling. + This rule inspects HTML attachments that contain a single link and leveraging an HTML body onload event. The linked domain must be in the URLhaus trusted repoters list, or have a suspicious TLD. +type: "rule" +severity: "high" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml") + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + ) + or .file_extension in~ $file_extensions_common_archives + or .file_type == "html" + or .content_type == "text/html" + ) + and any(file.explode(.), + not length(.scan.url.invalid_urls) > 0 + and length(.scan.url.urls) == 1 + and any(.scan.strings.strings, strings.ilike(., "*body onload*")) + and ( + any(.scan.url.urls, + .domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters + + // To-do uncomment below when list is created + //or .domain.root_domain in $suspicious_root_domains + or .domain.tld in $suspicious_tlds + ) + ) + ) + ) +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" + - "Link analysis" +id: "c1e2beed-e71e-58d2-b922-9601337645b2"