diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml index 66d917790b3..514b82554c1 100644 --- a/detection-rules/attachment_docusign_image_suspicious_links.yml +++ b/detection-rules/attachment_docusign_image_suspicious_links.yml @@ -1,7 +1,7 @@ name: "Attachment: DocuSign image lure with no DocuSign domains in links" description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo attached, from a first-time sender." type: "rule" -severity: "medium" +severity: "high" source: | type.inbound and length(filter(attachments, .file_type not in $file_types_images)) == 0 diff --git a/detection-rules/attachment_eml_cred_theft.yml b/detection-rules/attachment_eml_cred_theft.yml index a45ea4fc34e..a85a54f7777 100644 --- a/detection-rules/attachment_eml_cred_theft.yml +++ b/detection-rules/attachment_eml_cred_theft.yml @@ -10,11 +10,13 @@ source: | .content_type == "message/rfc822" and any(file.explode(.), any(.scan.url.urls, - .domain.root_domain in $free_subdomain_hosts - or .domain.root_domain in ("sharepoint.com") - or .domain.root_domain not in $tranco_1m + ( + .domain.root_domain in $free_subdomain_hosts + or .domain.root_domain in ("sharepoint.com") + or .domain.root_domain not in $tranco_1m + ) + and beta.linkanalysis(.).credphish.disposition == "phishing" ) - and any(.scan.url.urls, beta.linkanalysis(.).credphish.disposition == "phishing") ) ) diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml index 6846c8ffb71..893ce305af0 100644 --- a/detection-rules/attachment_microsoft_image_lure_qr_code.yml +++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml @@ -2,7 +2,7 @@ name: "Brand impersonation: Microsoft (QR code)" description: | Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads. type: "rule" -severity: "medium" +severity: "high" source: | type.inbound and ( diff --git a/detection-rules/attachment_office365_image.yml b/detection-rules/attachment_office365_image.yml index 7a6de0ff984..012788a6b7a 100644 --- a/detection-rules/attachment_office365_image.yml +++ b/detection-rules/attachment_office365_image.yml @@ -2,7 +2,7 @@ name: "Attachment: Office365 image (unsolicited)" description: | Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords. type: "rule" -severity: "medium" +severity: "high" source: | type.inbound and length(filter(attachments, .file_type not in $file_types_images)) == 0 diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml index b55fdc8dca4..c89d21b1247 100644 --- a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml +++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml @@ -12,7 +12,7 @@ source: | .file_extension == "pdf" and any(file.explode(.), any(.scan.pdf.urls, - regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)') + regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)\b') and .domain.root_domain not in $tranco_1m ) ) diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index 6f42d5e2b02..0070ab55275 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -14,7 +14,7 @@ source: | ) and ( regex.icontains(sender.display_name, - '\b[aaa๐ฐa๏ฝ๐‘Ž๐—ฎ๐•’๐–†๐“ช๐šŠ๐žชะฐษ‘ฮฑ๐”ž๐’‚๐˜ข๐›‚โบ๐’ถ๐™–๐œถ๐›ผ๐š๐–บ]maz[o0]n\s?(pay|marketplace|\.com)' + '\b[aaa๐ฐa๏ฝ๐‘Ž๐—ฎ๐•’๐–†๐“ช๐šŠ๐žชะฐษ‘ฮฑ๐”ž๐’‚๐˜ข๐›‚โบ๐’ถ๐™–๐œถ๐›ผ๐š๐–บ]maz[o0]n\s?(pay|marketplace|\.com)|แตƒโคปแถป' ) or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1 or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1 diff --git a/detection-rules/impersonation_fedex.yml b/detection-rules/impersonation_fedex.yml index 7f7a5f3fb70..77073c7a3d4 100644 --- a/detection-rules/impersonation_fedex.yml +++ b/detection-rules/impersonation_fedex.yml @@ -13,7 +13,7 @@ source: | or strings.ilike(sender.email.domain.domain, '*fedex*') ) // sedex.com is not affiliated with FedEx, but is an apparent FP - and sender.email.domain.root_domain not in~ ('fedex.com', 'sedex.com') + and sender.email.domain.root_domain not in~ ('fedex.com', 'sedex.com', 'myworkday.com') and sender.email.email not in $sender_emails attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml index 0d82b2eab79..96c9e0d6bdc 100644 --- a/detection-rules/impersonation_human_resources.yml +++ b/detection-rules/impersonation_human_resources.yml @@ -9,16 +9,13 @@ source: | '(\bh\W?r\W?\b|human resources|hr depart(ment)?|employee relations)' ) and (length(body.links) > 0 or length(attachments) > 0) - + // Request and Urgency - and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "request") - and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency") + and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request") + and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency") and ( - ( - length(ml.nlu_classifier(body.html.inner_text).intents) > 0 - and any(ml.nlu_classifier(body.html.inner_text).intents, .name != "benign") - ) - or length(ml.nlu_classifier(body.html.inner_text).intents) == 0 + any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign") + and not length(ml.nlu_classifier(body.current_thread.text).intents) == 0 ) and ( ( diff --git a/detection-rules/impersonation_paypal.yml b/detection-rules/impersonation_paypal.yml index 0397e338e65..f8c180384a7 100644 --- a/detection-rules/impersonation_paypal.yml +++ b/detection-rules/impersonation_paypal.yml @@ -49,6 +49,7 @@ source: | 'paypalcorp.com', 'paypal-customerfeedback.com', 'paypal-creditsurvey.com', + 'paypal-prepaid.com', 'xoom.com' ) diff --git a/detection-rules/impersonation_zoom_strict.yml b/detection-rules/impersonation_zoom_strict.yml index 113023c9430..73980c81631 100644 --- a/detection-rules/impersonation_zoom_strict.yml +++ b/detection-rules/impersonation_zoom_strict.yml @@ -13,7 +13,7 @@ source: | or sender.display_name =~ 'zoom video communications, inc.' or sender.display_name =~ 'zoom call' ) - and sender.email.domain.root_domain not in ('zoom.us', 'zuora.com') + and sender.email.domain.root_domain not in ('zoom.us', 'zuora.com','zoomgov.com') and ( // if this comes from a free email provider, // flag if org has never sent an email to sender's email before diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml index 4ef462f6b0f..c5416581259 100644 --- a/detection-rules/link_credential_phishing_voicemail_language.yml +++ b/detection-rules/link_credential_phishing_voicemail_language.yml @@ -36,6 +36,7 @@ source: | any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld)) ), ) + and sender.email.domain.root_domain not in ("magicjack.com") and ( ( sender.email.domain.root_domain in $free_email_providers diff --git a/detection-rules/link_google_amp_suspicious_indicators.yml b/detection-rules/link_google_amp_suspicious_indicators.yml index 8ee20811c2a..21209aa3456 100644 --- a/detection-rules/link_google_amp_suspicious_indicators.yml +++ b/detection-rules/link_google_amp_suspicious_indicators.yml @@ -10,10 +10,10 @@ severity: "medium" source: | type.inbound - // Any body links with a domain SLD of 'google' and a path starting with /amp/s + // Any body links with a domain SLD of 'google' and a path starting with /amp and any(body.links, .href_url.domain.sld == "google" - and strings.starts_with(.href_url.path, "/amp/s/") + and strings.starts_with(.href_url.path, "/amp/") // Brand Logo detected that is not google and ( diff --git a/detection-rules/link_html_smuggling_with_google_drive_branding.yml b/detection-rules/link_html_smuggling_with_google_drive_branding.yml index 3a44b111f7d..0038b4ffdf7 100644 --- a/detection-rules/link_html_smuggling_with_google_drive_branding.yml +++ b/detection-rules/link_html_smuggling_with_google_drive_branding.yml @@ -8,6 +8,7 @@ references: severity: "high" source: | type.inbound + and length(body.links) < 10 and any(body.links, // This isn't a Google Drive link .href_url.domain.root_domain != "google.com" diff --git a/detection-rules/spam_new_domain_emojis.yml b/detection-rules/spam_new_domain_emojis.yml index 5a070628d66..8b01256663d 100644 --- a/detection-rules/spam_new_domain_emojis.yml +++ b/detection-rules/spam_new_domain_emojis.yml @@ -9,6 +9,9 @@ source: | // sender is a freemail and sender.email.domain.root_domain in $free_email_providers + // linked domain is less than 10 days old + and any(body.links, beta.whois(.href_url.domain).days_old < 10) + // has an emoji in the subject or body and ( regex.contains(body.plain.raw,