From 68c247ebbd7bbf2c25d3137d1881fced6f772fbf Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Wed, 30 Aug 2023 13:18:43 -0700 Subject: [PATCH 01/12] Updating Rule: Adding "shtml" negation (#739) Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Sam Scholten --- ...achment_pdf_with_low_reputation_link_to_suspicious_files.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml index b55fdc8dca4..c89d21b1247 100644 --- a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml +++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml @@ -12,7 +12,7 @@ source: | .file_extension == "pdf" and any(file.explode(.), any(.scan.pdf.urls, - regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)') + regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)\b') and .domain.root_domain not in $tranco_1m ) ) From 8ff6fb28bda6389aff839fb0eeb60c71233d4dbb Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 31 Aug 2023 07:00:26 -0700 Subject: [PATCH 02/12] Updating Rule: Adding domain check (#744) --- detection-rules/spam_new_domain_emojis.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/detection-rules/spam_new_domain_emojis.yml b/detection-rules/spam_new_domain_emojis.yml index 5a070628d66..8b01256663d 100644 --- a/detection-rules/spam_new_domain_emojis.yml +++ b/detection-rules/spam_new_domain_emojis.yml @@ -9,6 +9,9 @@ source: | // sender is a freemail and sender.email.domain.root_domain in $free_email_providers + // linked domain is less than 10 days old + and any(body.links, beta.whois(.href_url.domain).days_old < 10) + // has an emoji in the subject or body and ( regex.contains(body.plain.raw, From 6494cc315466ba8c1af58e33f9cee6f2d4cefb55 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Thu, 31 Aug 2023 11:34:28 -0600 Subject: [PATCH 03/12] Update link analysis logic for EML attachment (#752) --- detection-rules/attachment_eml_cred_theft.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/detection-rules/attachment_eml_cred_theft.yml b/detection-rules/attachment_eml_cred_theft.yml index a45ea4fc34e..a85a54f7777 100644 --- a/detection-rules/attachment_eml_cred_theft.yml +++ b/detection-rules/attachment_eml_cred_theft.yml @@ -10,11 +10,13 @@ source: | .content_type == "message/rfc822" and any(file.explode(.), any(.scan.url.urls, - .domain.root_domain in $free_subdomain_hosts - or .domain.root_domain in ("sharepoint.com") - or .domain.root_domain not in $tranco_1m + ( + .domain.root_domain in $free_subdomain_hosts + or .domain.root_domain in ("sharepoint.com") + or .domain.root_domain not in $tranco_1m + ) + and beta.linkanalysis(.).credphish.disposition == "phishing" ) - and any(.scan.url.urls, beta.linkanalysis(.).credphish.disposition == "phishing") ) ) From 68a6b8d04011e15644da6ee9b39c28b68c7b7eed Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 31 Aug 2023 10:50:48 -0700 Subject: [PATCH 04/12] Updating rule: Adding PayPal domain (impersonation_paypal.yml) (#754) Co-authored-by: Sam Scholten --- detection-rules/impersonation_paypal.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/impersonation_paypal.yml b/detection-rules/impersonation_paypal.yml index 0397e338e65..f8c180384a7 100644 --- a/detection-rules/impersonation_paypal.yml +++ b/detection-rules/impersonation_paypal.yml @@ -49,6 +49,7 @@ source: | 'paypalcorp.com', 'paypal-customerfeedback.com', 'paypal-creditsurvey.com', + 'paypal-prepaid.com', 'xoom.com' ) From 9d230863761ed68d4fc1d38e56bd536f1fedba80 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 31 Aug 2023 13:51:52 -0400 Subject: [PATCH 05/12] Negate FP: impersonation_zoom_strict.yml (#732) --- detection-rules/impersonation_zoom_strict.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/impersonation_zoom_strict.yml b/detection-rules/impersonation_zoom_strict.yml index 113023c9430..73980c81631 100644 --- a/detection-rules/impersonation_zoom_strict.yml +++ b/detection-rules/impersonation_zoom_strict.yml @@ -13,7 +13,7 @@ source: | or sender.display_name =~ 'zoom video communications, inc.' or sender.display_name =~ 'zoom call' ) - and sender.email.domain.root_domain not in ('zoom.us', 'zuora.com') + and sender.email.domain.root_domain not in ('zoom.us', 'zuora.com','zoomgov.com') and ( // if this comes from a free email provider, // flag if org has never sent an email to sender's email before From d1309551cba64be9a20900541f3f00faa5f1175c Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 31 Aug 2023 13:53:01 -0400 Subject: [PATCH 06/12] FP Tune: Update impersonation_human_resources.yml (#741) --- detection-rules/impersonation_human_resources.yml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml index 0d82b2eab79..96c9e0d6bdc 100644 --- a/detection-rules/impersonation_human_resources.yml +++ b/detection-rules/impersonation_human_resources.yml @@ -9,16 +9,13 @@ source: | '(\bh\W?r\W?\b|human resources|hr depart(ment)?|employee relations)' ) and (length(body.links) > 0 or length(attachments) > 0) - + // Request and Urgency - and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "request") - and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency") + and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request") + and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency") and ( - ( - length(ml.nlu_classifier(body.html.inner_text).intents) > 0 - and any(ml.nlu_classifier(body.html.inner_text).intents, .name != "benign") - ) - or length(ml.nlu_classifier(body.html.inner_text).intents) == 0 + any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign") + and not length(ml.nlu_classifier(body.current_thread.text).intents) == 0 ) and ( ( From 5a43a58d3a008cc3bfc4bab255fd14cd1046825e Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 31 Aug 2023 10:55:38 -0700 Subject: [PATCH 07/12] Updating Rule: Adding domain negation (impersonation_fedex.yml) (#755) Co-authored-by: Sam Scholten --- detection-rules/impersonation_fedex.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/impersonation_fedex.yml b/detection-rules/impersonation_fedex.yml index 7f7a5f3fb70..77073c7a3d4 100644 --- a/detection-rules/impersonation_fedex.yml +++ b/detection-rules/impersonation_fedex.yml @@ -13,7 +13,7 @@ source: | or strings.ilike(sender.email.domain.domain, '*fedex*') ) // sedex.com is not affiliated with FedEx, but is an apparent FP - and sender.email.domain.root_domain not in~ ('fedex.com', 'sedex.com') + and sender.email.domain.root_domain not in~ ('fedex.com', 'sedex.com', 'myworkday.com') and sender.email.email not in $sender_emails attack_types: - "Credential Phishing" From 6e614f0e344be8387dd3b850fb51cda4eb4757b4 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 31 Aug 2023 14:02:30 -0400 Subject: [PATCH 08/12] Update link_html_smuggling_with_google_drive_branding.yml (#756) --- .../link_html_smuggling_with_google_drive_branding.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/link_html_smuggling_with_google_drive_branding.yml b/detection-rules/link_html_smuggling_with_google_drive_branding.yml index 3a44b111f7d..0038b4ffdf7 100644 --- a/detection-rules/link_html_smuggling_with_google_drive_branding.yml +++ b/detection-rules/link_html_smuggling_with_google_drive_branding.yml @@ -8,6 +8,7 @@ references: severity: "high" source: | type.inbound + and length(body.links) < 10 and any(body.links, // This isn't a Google Drive link .href_url.domain.root_domain != "google.com" From 1e8cad82205d33ec50779ed9eeaa6e82c1c4a86d Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 31 Aug 2023 12:41:46 -0700 Subject: [PATCH 09/12] Updating Rule: link_google_amp_suspicious_indicators.yml (#758) --- detection-rules/link_google_amp_suspicious_indicators.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detection-rules/link_google_amp_suspicious_indicators.yml b/detection-rules/link_google_amp_suspicious_indicators.yml index 8ee20811c2a..21209aa3456 100644 --- a/detection-rules/link_google_amp_suspicious_indicators.yml +++ b/detection-rules/link_google_amp_suspicious_indicators.yml @@ -10,10 +10,10 @@ severity: "medium" source: | type.inbound - // Any body links with a domain SLD of 'google' and a path starting with /amp/s + // Any body links with a domain SLD of 'google' and a path starting with /amp and any(body.links, .href_url.domain.sld == "google" - and strings.starts_with(.href_url.path, "/amp/s/") + and strings.starts_with(.href_url.path, "/amp/") // Brand Logo detected that is not google and ( From 955c39fba3c9b76fb894e609e011ef5770422f7b Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Fri, 1 Sep 2023 11:01:19 -0700 Subject: [PATCH 10/12] Updating Rule: link_credential_phishing_voicemail_language.yml (#763) --- detection-rules/link_credential_phishing_voicemail_language.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml index 4ef462f6b0f..c5416581259 100644 --- a/detection-rules/link_credential_phishing_voicemail_language.yml +++ b/detection-rules/link_credential_phishing_voicemail_language.yml @@ -36,6 +36,7 @@ source: | any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld)) ), ) + and sender.email.domain.root_domain not in ("magicjack.com") and ( ( sender.email.domain.root_domain in $free_email_providers From ef1a7aa3b10b5fbd1736ed87e79526d0bd0a2f60 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 1 Sep 2023 14:25:24 -0400 Subject: [PATCH 11/12] Update impersonation_amazon.yml (#762) --- detection-rules/impersonation_amazon.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index 6f42d5e2b02..0070ab55275 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -14,7 +14,7 @@ source: | ) and ( regex.icontains(sender.display_name, - '\b[aaa๐ฐa๏ฝ๐‘Ž๐—ฎ๐•’๐–†๐“ช๐šŠ๐žชะฐษ‘ฮฑ๐”ž๐’‚๐˜ข๐›‚โบ๐’ถ๐™–๐œถ๐›ผ๐š๐–บ]maz[o0]n\s?(pay|marketplace|\.com)' + '\b[aaa๐ฐa๏ฝ๐‘Ž๐—ฎ๐•’๐–†๐“ช๐šŠ๐žชะฐษ‘ฮฑ๐”ž๐’‚๐˜ข๐›‚โบ๐’ถ๐™–๐œถ๐›ผ๐š๐–บ]maz[o0]n\s?(pay|marketplace|\.com)|แตƒโคปแถป' ) or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1 or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1 From 29489635d7b0154aa7ba430c97eada4f367cf67a Mon Sep 17 00:00:00 2001 From: Josh Kamdjou Date: Tue, 5 Sep 2023 14:10:01 -0700 Subject: [PATCH 12/12] Bump severities to high (#775) --- detection-rules/attachment_docusign_image_suspicious_links.yml | 2 +- detection-rules/attachment_microsoft_image_lure_qr_code.yml | 2 +- detection-rules/attachment_office365_image.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml index 66d917790b3..514b82554c1 100644 --- a/detection-rules/attachment_docusign_image_suspicious_links.yml +++ b/detection-rules/attachment_docusign_image_suspicious_links.yml @@ -1,7 +1,7 @@ name: "Attachment: DocuSign image lure with no DocuSign domains in links" description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo attached, from a first-time sender." type: "rule" -severity: "medium" +severity: "high" source: | type.inbound and length(filter(attachments, .file_type not in $file_types_images)) == 0 diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml index 6846c8ffb71..893ce305af0 100644 --- a/detection-rules/attachment_microsoft_image_lure_qr_code.yml +++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml @@ -2,7 +2,7 @@ name: "Brand impersonation: Microsoft (QR code)" description: | Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads. type: "rule" -severity: "medium" +severity: "high" source: | type.inbound and ( diff --git a/detection-rules/attachment_office365_image.yml b/detection-rules/attachment_office365_image.yml index 7a6de0ff984..012788a6b7a 100644 --- a/detection-rules/attachment_office365_image.yml +++ b/detection-rules/attachment_office365_image.yml @@ -2,7 +2,7 @@ name: "Attachment: Office365 image (unsolicited)" description: | Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords. type: "rule" -severity: "medium" +severity: "high" source: | type.inbound and length(filter(attachments, .file_type not in $file_types_images)) == 0