New Rule (Attachment): PDF with credential theft language and link to…

… a free subdomain (#667) Co-authored-by: ID Generator <[email protected]> Co-authored-by: Sam Scholten <[email protected]> Co-authored-by: Sam Scholten <[email protected]>
sublime-security · Jan 30, 2024 · d643728 · d643728
1 parent e2cc54d
commit d643728
Showing 1 changed file with 43 additions and 0 deletions.
diff --git a/detection-rules/attachment_pdf_free_subdomain_cred_theft.yml b/detection-rules/attachment_pdf_free_subdomain_cred_theft.yml
@@ -0,0 +1,43 @@
+name: "Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)"
+description: |
+  Detects messages with credential theft PDFs linking to free subdomains.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(ml.nlu_classifier(body.current_thread.text).intents,
+          .name == "cred_theft" and .confidence in ("medium", "high")
+  )
+  and any(attachments,
+          .file_extension == "pdf"
+          and any(file.explode(.),
+                  any(.scan.pdf.urls,
+                      .domain.root_domain in $free_subdomain_hosts
+                      and .domain.subdomain is not null
+                      and .domain.subdomain != "www"
+                  )
+                  and any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                          .name == "cred_theft" and .confidence in ("medium", "high")
+                  )
+          )
+  )
+  // unsolicited
+  and (
+    not profile.by_sender().solicited
+    or profile.by_sender().any_messages_malicious_or_spam
+  )
+
+  and not profile.by_sender().any_false_positives
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Free subdomain host"
+  - "PDF"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+  - "URL analysis"
+id: "90f4ef4e-463f-5ea6-ae83-82ea07a30b70"