-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New credential phishing rules (#995)
- Loading branch information
Showing
2 changed files
with
173 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| name: "Credential phishing content and link (first-time sender)" | ||
| description: | | ||
| Message contains credential theft language and a link to a credential phishing page from an unknown sender. | ||
| We use Link Analysis in aggressive mode to increase our chances of scanning. | ||
| type: "rule" | ||
| severity: "high" | ||
| source: | | ||
| type.inbound | ||
| and ( | ||
| any(ml.nlu_classifier(body.current_thread.text).intents, | ||
| .name == "cred_theft" and .confidence in ("medium", "high") | ||
| ) | ||
| // embedded in an image attachment | ||
| // note: don't use message_screenshot() for now | ||
| // because it's not limited to current_thread and may FP | ||
| or any(attachments, | ||
| .file_type in $file_types_images | ||
| and any(file.explode(.), | ||
| any(ml.nlu_classifier(.scan.ocr.raw).intents, | ||
| .name == "cred_theft" and .confidence in ("medium", "high") | ||
| ) | ||
| ) | ||
| ) | ||
| ) | ||
| and any(body.links, | ||
| beta.linkanalysis(., mode="aggressive").credphish.disposition == "phishing" | ||
| and beta.linkanalysis(., mode="aggressive").credphish.confidence in ( | ||
| "medium", | ||
| "high" | ||
| ) | ||
| ) | ||
| and ( | ||
| profile.by_sender().prevalence in ("new", "outlier") | ||
| or ( | ||
| profile.by_sender().any_messages_malicious_or_spam | ||
| and not profile.by_sender().any_false_positives | ||
| ) | ||
| ) | ||
| // negate highly trusted sender domains unless they fail DMARC authentication | ||
| and ( | ||
| ( | ||
| sender.email.domain.root_domain in $high_trust_sender_root_domains | ||
| and ( | ||
| any(distinct(headers.hops, .authentication_results.dmarc is not null), | ||
| strings.ilike(.authentication_results.dmarc, "*fail") | ||
| ) | ||
| ) | ||
| ) | ||
| or sender.email.domain.root_domain not in $high_trust_sender_root_domains | ||
| ) | ||
| attack_types: | ||
| - "Credential Phishing" | ||
| tactics_and_techniques: | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Computer Vision" | ||
| - "Sender analysis" | ||
| - "URL analysis" | ||
| - "URL screenshot" | ||
| id: "f0c95bb7-afeb-5c8d-a654-74b5e026007f" |
112 changes: 112 additions & 0 deletions
112
detection-rules/link_credential_phishing_intent_and_other_indicators_2.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,112 @@ | ||
| name: "Credential phishing language and suspicious indicators (unknown sender)" | ||
| description: | | ||
| Message contains various suspicious indicators as well as engaging language resembling credential theft from an unknown sender. | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: | | ||
| type.inbound | ||
| and ( | ||
| any(ml.nlu_classifier(body.current_thread.text).intents, | ||
| .name == "cred_theft" and .confidence in ("medium", "high") | ||
| ) | ||
| // embedded in an image attachment | ||
| // note: don't use message_screenshot() | ||
| // because it's not limited to current_thread and may FP | ||
| or any(attachments, | ||
| .file_type in $file_types_images | ||
| and any(file.explode(.), | ||
| any(ml.nlu_classifier(.scan.ocr.raw).intents, | ||
| .name == "cred_theft" and .confidence == "high" | ||
| ) | ||
| ) | ||
| ) | ||
| ) | ||
| and 4 of ( | ||
| // impersonation of the recipient's domain or email address | ||
| // in the subject to make it look more personalized | ||
| any(recipients.to, | ||
| strings.icontains(subject.subject, .email.local_part) | ||
| or strings.icontains(subject.subject, .email.domain.sld) | ||
| ), | ||
| // recipient's email address in the body. this is not very uncommon | ||
| // for legit credential themed messages either | ||
| any(recipients.to, | ||
| .email.domain.valid | ||
| and strings.icontains(body.current_thread.text, .email.email) | ||
| ), | ||
| ( | ||
| // freemail providers should never be sending this type of email | ||
| sender.email.domain.domain in $free_email_providers | ||
| // if not freemail, it's suspicious if the sender's root domain | ||
| // doesn't match any links in the body | ||
| or ( | ||
| length(body.links) > 0 | ||
| and all(body.links, | ||
| .href_url.domain.root_domain != sender.email.domain.root_domain | ||
| ) | ||
| ) | ||
| ), | ||
| strings.contains(body.current_thread.text, | ||
| "Your mailbox can no longer send or receive messages." | ||
| ), | ||
| // link redirects to a suspicious TLD | ||
| any(body.links, | ||
| any(beta.linkanalysis(., mode="aggressive").redirect_history, .domain.tld in $suspicious_tlds) | ||
| ), | ||
| ( | ||
| // suspicious redirects | ||
| // 3 or more different domains with 2 or more different TLDs | ||
| // careful because click trackers will always make this at least 2 | ||
| // different domains and not unlikely 2 or more TLDs | ||
| any(body.links, | ||
| length(distinct(map(beta.linkanalysis(., mode="aggressive").redirect_history, | ||
| .domain.tld | ||
| ) | ||
| ) | ||
| ) >= 2 | ||
| and length(distinct(map(beta.linkanalysis(., mode="aggressive").redirect_history, | ||
| .domain.domain | ||
| ) | ||
| ) | ||
| ) >= 3 | ||
| ) | ||
| ), | ||
| // maybe: any brand logo with high confidence | ||
| // maybe: recipients BCCd or undisclosed | ||
| ) | ||
| and ( | ||
| ( | ||
| profile.by_sender().prevalence in ("new", "outlier") | ||
| and not profile.by_sender().solicited | ||
| ) | ||
| or ( | ||
| profile.by_sender().any_messages_malicious_or_spam | ||
| and not profile.by_sender().any_false_positives | ||
| ) | ||
| ) | ||
| // negate highly trusted sender domains unless they fail DMARC authentication | ||
| and ( | ||
| ( | ||
| sender.email.domain.root_domain in $high_trust_sender_root_domains | ||
| and ( | ||
| any(distinct(headers.hops, .authentication_results.dmarc is not null), | ||
| strings.ilike(.authentication_results.dmarc, "*fail") | ||
| ) | ||
| ) | ||
| ) | ||
| or sender.email.domain.root_domain not in $high_trust_sender_root_domains | ||
| ) | ||
| attack_types: | ||
| - "Credential Phishing" | ||
| tactics_and_techniques: | ||
| - "Free email provider" | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Content analysis" | ||
| - "Header analysis" | ||
| - "Natural Language Understanding" | ||
| - "Sender analysis" | ||
| - "URL analysis" | ||
| id: "89c186f7-8c8d-55db-8b6f-da6ead587b1d" |