-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New Rule: Credential Phishing: Suspicious language, link, recipients …
…and other indicators (#804) Co-authored-by: ID Generator <[email protected]>
- Loading branch information
1 parent
ea97cf3
commit d7b5d34
Showing
1 changed file
with
61 additions
and
0 deletions.
There are no files selected for viewing
61 changes: 61 additions & 0 deletions
61
detection-rules/link_suspicious_language_undisclosed_recipients.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| name: "Credential Phishing: Suspicious language, link, recipients and other indicators" | ||
| description: | | ||
| The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from a first-time sender. | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: | | ||
| type.inbound | ||
| // no recipients defined | ||
| and (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients")) | ||
| and length(recipients.cc) == 0 | ||
| and length(recipients.bcc) == 0 | ||
| and any(body.links, | ||
| // suspicious link | ||
| // we've particularly seen 1drv.ms abused | ||
| // if using the full list causes FPs, we can reduce the | ||
| // scope to a hard-coded list or add exclusions | ||
| ( | ||
| .href_url.domain.domain in $free_file_hosts | ||
| or .href_url.domain.root_domain in $free_subdomain_hosts | ||
| ) | ||
| // link text is in all caps | ||
| and regex.match(.display_text, "[A-Z ]+") | ||
| ) | ||
| // any confidence cred_theft classification | ||
| and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "cred_theft") | ||
| // 'org' entity is in all caps | ||
| and any(ml.nlu_classifier(body.current_thread.text).entities, | ||
| .name == "org" and regex.match(.text, "[A-Z ]+") | ||
| ) | ||
| // subject is in all caps | ||
| and regex.match(subject.subject, "[A-Z ]+") | ||
| // first-time sender | ||
| and ( | ||
| ( | ||
| sender.email.domain.root_domain in $free_email_providers | ||
| and sender.email.email not in $sender_emails | ||
| ) | ||
| or ( | ||
| sender.email.domain.root_domain not in $free_email_providers | ||
| and sender.email.domain.domain not in $sender_domains | ||
| ) | ||
| ) | ||
| attack_types: | ||
| - "Credential Phishing" | ||
| tactics_and_techniques: | ||
| - "Evasion" | ||
| detection_methods: | ||
| - "Content analysis" | ||
| - "Header analysis" | ||
| - "Natural Language Understanding" | ||
| - "Sender analysis" | ||
| - "URL analysis" | ||
| id: "dcb39190-7ea1-5e82-8d6b-0242affdb6e3" |