Merge branch 'main' into morriscode-gitgudnoob

detection-rules/attachment_docusign_image_suspicious_links.yml

@@ -1,7 +1,7 @@
 name: "Attachment: DocuSign image lure with no DocuSign domains in links"
 description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo attached, from a first-time sender."
 type: "rule"
-severity: "medium"
+severity: "high"
 source: |
   type.inbound
   and length(filter(attachments, .file_type not in $file_types_images)) == 0

detection-rules/attachment_eml_cred_theft.yml

@@ -10,11 +10,13 @@ source: |
           .content_type == "message/rfc822"
           and any(file.explode(.),
                   any(.scan.url.urls,
-                      .domain.root_domain in $free_subdomain_hosts
-                      or .domain.root_domain in ("sharepoint.com")
-                      or .domain.root_domain not in $tranco_1m
+                      (
+                        .domain.root_domain in $free_subdomain_hosts
+                        or .domain.root_domain in ("sharepoint.com")
+                        or .domain.root_domain not in $tranco_1m
+                      )
+                      and beta.linkanalysis(.).credphish.disposition == "phishing"
                   )
-                  and any(.scan.url.urls, beta.linkanalysis(.).credphish.disposition == "phishing")
           )
   )
 

detection-rules/attachment_microsoft_image_lure_qr_code.yml

@@ -2,7 +2,7 @@ name: "Brand impersonation: Microsoft (QR code)"
 description: |
   Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
 type: "rule"
-severity: "medium"
+severity: "high"
 source: |
   type.inbound
   and (

detection-rules/attachment_office365_image.yml

@@ -2,7 +2,7 @@ name: "Attachment: Office365 image (unsolicited)"
 description: |
   Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
 type: "rule"
-severity: "medium"
+severity: "high"
 source: |
   type.inbound
   and length(filter(attachments, .file_type not in $file_types_images)) == 0

detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml

@@ -12,7 +12,7 @@ source: |
           .file_extension == "pdf"
           and any(file.explode(.),
                   any(.scan.pdf.urls,
-                      regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)')
+                      regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)\b')
                       and .domain.root_domain not in $tranco_1m
                   )
           )

detection-rules/impersonation_amazon.yml

@@ -14,7 +14,7 @@ source: |
   )
   and (
     regex.icontains(sender.display_name,
-                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com)'
+                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com)|ᵃ⤻ᶻ'
     )
     or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
     or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1

detection-rules/impersonation_fedex.yml

@@ -13,7 +13,7 @@ source: |
     or strings.ilike(sender.email.domain.domain, '*fedex*')
   )
   // sedex.com is not affiliated with FedEx, but is an apparent FP
-  and sender.email.domain.root_domain not in~ ('fedex.com', 'sedex.com')
+  and sender.email.domain.root_domain not in~ ('fedex.com', 'sedex.com', 'myworkday.com')
   and sender.email.email not in $sender_emails
 attack_types:
   - "Credential Phishing"

detection-rules/impersonation_human_resources.yml

@@ -9,16 +9,13 @@ source: |
                       '(\bh\W?r\W?\b|human resources|hr depart(ment)?|employee relations)'
   )
   and (length(body.links) > 0 or length(attachments) > 0)
-
+  
   // Request and Urgency 
-  and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "request")
-  and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency")
+  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
+  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
   and (
-    (
-      length(ml.nlu_classifier(body.html.inner_text).intents) > 0
-      and any(ml.nlu_classifier(body.html.inner_text).intents, .name != "benign")
-    )
-    or length(ml.nlu_classifier(body.html.inner_text).intents) == 0
+    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
+    and not length(ml.nlu_classifier(body.current_thread.text).intents) == 0
   )
   and (
     (

detection-rules/impersonation_paypal.yml

@@ -49,6 +49,7 @@ source: |
     'paypalcorp.com',
     'paypal-customerfeedback.com',
     'paypal-creditsurvey.com',
+    'paypal-prepaid.com',
     'xoom.com'
   )
 

detection-rules/impersonation_zoom_strict.yml

@@ -13,7 +13,7 @@ source: |
     or sender.display_name =~ 'zoom video communications, inc.'
     or sender.display_name =~ 'zoom call'
   )
-  and sender.email.domain.root_domain not in ('zoom.us', 'zuora.com')
+  and sender.email.domain.root_domain not in ('zoom.us', 'zuora.com','zoomgov.com')
   and (
     // if this comes from a free email provider,
     // flag if org has never sent an email to sender's email before

detection-rules/link_credential_phishing_voicemail_language.yml

@@ -36,6 +36,7 @@ source: |
       any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld))
     ),
   )
+  and sender.email.domain.root_domain not in ("magicjack.com")
   and (
     (
       sender.email.domain.root_domain in $free_email_providers

detection-rules/link_google_amp_suspicious_indicators.yml

@@ -10,10 +10,10 @@ severity: "medium"
 source: |
   type.inbound
 
-  // Any body links with a domain SLD of 'google' and a path starting with /amp/s
+  // Any body links with a domain SLD of 'google' and a path starting with /amp
   and any(body.links,
           .href_url.domain.sld == "google"
-          and strings.starts_with(.href_url.path, "/amp/s/")
+          and strings.starts_with(.href_url.path, "/amp/")
 
           // Brand Logo detected that is not google
           and (

detection-rules/link_html_smuggling_with_google_drive_branding.yml

@@ -8,6 +8,7 @@ references:
 severity: "high"
 source: |
   type.inbound
+  and length(body.links) < 10
   and any(body.links,
           // This isn't a Google Drive link
           .href_url.domain.root_domain != "google.com"

detection-rules/spam_new_domain_emojis.yml

@@ -9,6 +9,9 @@ source: |
   // sender is a freemail
   and sender.email.domain.root_domain in $free_email_providers
 
+  // linked domain is less than 10 days old
+  and any(body.links, beta.whois(.href_url.domain).days_old < 10)
+
   // has an emoji in the subject or body
   and (
     regex.contains(body.plain.raw,