From d7b5d348325202ca46d9d0749c4be897c99da121 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 20 Sep 2023 12:54:36 -0400 Subject: [PATCH] New Rule: Credential Phishing: Suspicious language, link, recipients and other indicators (#804) Co-authored-by: ID Generator --- ...icious_language_undisclosed_recipients.yml | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 detection-rules/link_suspicious_language_undisclosed_recipients.yml diff --git a/detection-rules/link_suspicious_language_undisclosed_recipients.yml b/detection-rules/link_suspicious_language_undisclosed_recipients.yml new file mode 100644 index 00000000000..7fcb7a130ba --- /dev/null +++ b/detection-rules/link_suspicious_language_undisclosed_recipients.yml @@ -0,0 +1,61 @@ +name: "Credential Phishing: Suspicious language, link, recipients and other indicators" +description: | + The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from a first-time sender. +type: "rule" +severity: "medium" +source: | + type.inbound + + // no recipients defined + and (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients")) + and length(recipients.cc) == 0 + and length(recipients.bcc) == 0 + + and any(body.links, + + // suspicious link + // we've particularly seen 1drv.ms abused + // if using the full list causes FPs, we can reduce the + // scope to a hard-coded list or add exclusions + ( + .href_url.domain.domain in $free_file_hosts + or .href_url.domain.root_domain in $free_subdomain_hosts + ) + + // link text is in all caps + and regex.match(.display_text, "[A-Z ]+") + ) + + // any confidence cred_theft classification + and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "cred_theft") + + // 'org' entity is in all caps + and any(ml.nlu_classifier(body.current_thread.text).entities, + .name == "org" and regex.match(.text, "[A-Z ]+") + ) + + // subject is in all caps + and regex.match(subject.subject, "[A-Z ]+") + + // first-time sender + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Sender analysis" + - "URL analysis" +id: "dcb39190-7ea1-5e82-8d6b-0242affdb6e3"