Merge branch 'main' into morriscode-openredir-2

sublime-security · Sep 18, 2023 · dbc33e7 · dbc33e7
2 parents 464388c + 07d8f92
commit dbc33e7
Show file tree

Hide file tree

Showing 34 changed files with 334 additions and 92 deletions.
diff --git a/.github/workflows/mql-mimic-tests.yml b/.github/workflows/mql-mimic-tests.yml
@@ -37,4 +37,4 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
           checkName: "MQL Mimic Tests"
           ref: ${{ github.sha }}
-          timeoutSeconds: 1800
+          timeoutSeconds: 3600
diff --git a/detection-rules/attachment_credential_phishing_image_as_content.yml b/detection-rules/attachment_credential_phishing_image_as_content.yml
@@ -0,0 +1,59 @@
+name: "Credential Phishing: Image as content, short or no body contents"
+description: |
+  This rule identifies incoming messages with minimal links, all image attachments and either empty, brief
+  or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition
+  to high-confidence credit theft intentions.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(body.links) < 2
+  and 0 < (length(attachments)) < 3
+  and (
+    // body text is very short
+    (
+      0 <= (length(body.current_thread.text)) < 10 or body.current_thread.text is null
+    )
+    or (
+      length(body.current_thread.text) < 900
+      // or body is most likely all warning banner (text contains the sender and common warning banner language)
+      and (
+        (
+          strings.contains(body.current_thread.text, sender.email.email)
+          and strings.contains(body.current_thread.text, 'caution')
+        )
+        or regex.icontains(body.current_thread.text,
+                           "intended recipient's use only|external email|sent from outside|you don't often"
+        )
+      )
+    )
+  )
+  and (
+    all(attachments,
+        (.file_type in $file_types_images)
+        and (
+          any(file.explode(.),
+              any(.scan.exiftool.fields, .value == "Truncated PNG image")
+              or (
+                any(ml.logo_detect(..).brands, .name is not null)
+                and any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                        .name == "cred_theft" and .confidence == "high"
+                )
+              )
+          )
+        )
+    )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Image as content"
+detection_methods:
+  - "Computer Vision"
+  - "Content analysis"
+  - "File analysis"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+id: "01313f38-d0d1-5240-b407-8f9158639277"
diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml
@@ -1,7 +1,7 @@
 name: "Attachment: DocuSign image lure with no DocuSign domains in links"
 description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo attached, from a first-time sender."
 type: "rule"
-severity: "medium"
+severity: "high"
 source: |
   type.inbound
   and length(filter(attachments, .file_type not in $file_types_images)) == 0

diff --git a/detection-rules/attachment_eml_cred_theft.yml b/detection-rules/attachment_eml_cred_theft.yml
@@ -10,11 +10,13 @@ source: |
           .content_type == "message/rfc822"
           and any(file.explode(.),
                   any(.scan.url.urls,
-                      .domain.root_domain in $free_subdomain_hosts
-                      or .domain.root_domain in ("sharepoint.com")
-                      or .domain.root_domain not in $tranco_1m
+                      (
+                        .domain.root_domain in $free_subdomain_hosts
+                        or .domain.root_domain in ("sharepoint.com")
+                        or .domain.root_domain not in $tranco_1m
+                      )
+                      and beta.linkanalysis(.).credphish.disposition == "phishing"
                   )
-                  and any(.scan.url.urls, beta.linkanalysis(.).credphish.disposition == "phishing")
           )
   )
 

diff --git a/detection-rules/attachment_html_smuggling_atob.yml b/detection-rules/attachment_html_smuggling_atob.yml
@@ -8,8 +8,7 @@ severity: "high"
 source: |
   type.inbound
   and any(attachments,
-          .size <= 60000
-          and (
+          (
             .file_extension in~ ("html", "htm", "shtml", "dhtml")
             or .file_extension in~ $file_extensions_common_archives
             or .file_type == "html"

diff --git a/detection-rules/attachment_html_smuggling_line_break_obfuscation.yml b/detection-rules/attachment_html_smuggling_line_break_obfuscation.yml
@@ -0,0 +1,36 @@
+name: "Attachment: HTML smuggling with excessive line break obfuscation"
+description: |
+  Credential Phishing attacks have been observed using excessive line breaks to obfuscate javascript functions within html files.
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ ("html", "htm", "shtml", "dhtml")
+            or .file_extension in~ $file_extensions_common_archives
+            or .file_type == "html"
+          )
+          and any(file.explode(.),
+                  any(.scan.strings.strings,
+                  // return new line padded obfuscation 
+                      regex.contains(., '(\\r\\n\S{2}){50,}')
+                      and strings.contains(., 'decodeURIComponent')
+                  )
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Encryption"
+  - "Evasion"
+  - "HTML smuggling"
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "Content analysis"
+  - "File analysis"
+  - "HTML analysis"
+  - "Javascript analysis"
+id: "7e901440-5751-5d94-8b2d-47eb3c0e2b9d"
diff --git a/detection-rules/attachment_macro_dll_loader.yml b/detection-rules/attachment_macro_dll_loader.yml
@@ -8,17 +8,19 @@ severity: "high"
 source: |
   type.inbound
   and any(attachments,
-          .file_extension == "zip"
-          and (
-            any(file.explode(.),
-                .scan.zip.encrypted == false
-                // zip contains a dll file
-                and any(.scan.zip.all_paths, strings.icontains(., "dll"))
-            )
-            and any(file.explode(.),
-                    // macro references a dll file
-                    any(.flavors.yara, strings.like(., "vb_file"))
-                    and any(.scan.strings.strings, strings.icontains(., "dll"))
+          (
+            .file_extension == "zip"
+            and (
+              any(file.explode(.),
+                  .scan.zip.encrypted == false
+                  // zip contains a dll file
+                  and any(.scan.zip.all_paths, strings.icontains(., "dll"))
+              )
+              and any(file.explode(.),
+                      // macro references a dll file
+                      any(.flavors.yara, strings.like(., "vb_file"))
+                      and any(.scan.strings.strings, strings.icontains(., "dll"))
+              )
             )
           )
           or any(file.explode(.), // fallback for encrypted zips
@@ -27,13 +29,13 @@ source: |
                  // zip contains a dll file
                  and any(.scan.zip.all_paths, strings.icontains(., "dll"))
           )
-          or any(attachments,
-                 .file_extension in~ $file_extensions_common_archives
-                 and any(file.explode(.),
-                         any(.flavors.yara, strings.like(., "vb_file"))
-                         and any(.scan.strings.strings, strings.ilike(., "*Lib*.dll*"))
-                 )
-                 and any(file.explode(.), strings.ilike(.file_extension, "dll"))
+          or (
+            .file_extension in~ $file_extensions_common_archives
+            and any(file.explode(.),
+                    any(.flavors.yara, strings.like(., "vb_file"))
+                    and any(.scan.strings.strings, strings.ilike(., "*Lib*.dll*"))
+            )
+            and any(file.explode(.), strings.ilike(.file_extension, "dll"))
           )
   )
 attack_types:

diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml
@@ -2,7 +2,7 @@ name: "Brand impersonation: Microsoft (QR code)"
 description: |
   Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
 type: "rule"
-severity: "medium"
+severity: "high"
 source: |
   type.inbound
   and (

diff --git a/detection-rules/attachment_office365_image.yml b/detection-rules/attachment_office365_image.yml
@@ -2,7 +2,7 @@ name: "Attachment: Office365 image (unsolicited)"
 description: |
   Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
 type: "rule"
-severity: "medium"
+severity: "high"
 source: |
   type.inbound
   and length(filter(attachments, .file_type not in $file_types_images)) == 0

diff --git a/detection-rules/attachment_pdf_link_to_dmg.yml b/detection-rules/attachment_pdf_link_to_dmg.yml
@@ -0,0 +1,68 @@
+name: "Attachment: PDF with link to DMG file download"
+description: |
+  This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware. 
+references:
+  - "https://thehackernews.com/2023/09/beware-metastealer-malware-targets.html"
+  - "https://duo.com/decipher/new-metastealer-malware-targets-macos-users"
+  - "https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(attachments,
+          .file_type == "pdf"
+          and any(file.explode(.),
+                  any(.scan.url.urls,
+  
+                      // url links to dmg or zip
+                      (
+                        strings.iends_with(.url, ".dmg") or strings.iends_with(.url, "zip")
+                      )
+  
+                      // and downloads a dmg or a zip
+                      and any(beta.linkanalysis(.).files_downloaded,
+                              (
+                                .file_extension == "dmg"
+                                or (
+                                  .file_extension in~ $file_extensions_common_archives
+  
+                                  // and the zip contains a dmg file
+                                  and any(file.explode(.),
+                                          (.file_extension =~ "dmg")
+  
+                                          // exif inspection if encrypted
+                                          or strings.ends_with(.scan.exiftool.zip_file_name, ".dmg")
+                                  )
+                                )
+                              )
+                      )
+                  )
+          )
+  )
+  
+  
+  // first time sender
+  and (
+    (
+      sender.email.domain.root_domain in $free_email_providers
+      and sender.email.email not in $sender_emails
+    )
+    or (
+      sender.email.domain.root_domain not in $free_email_providers
+      and sender.email.domain.domain not in $sender_domains
+    )
+  )
+tags: 
+  - "Malfam: MetaStealer"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "PDF"
+detection_methods:
+  - "Archive analysis"
+  - "Content analysis"
+  - "File analysis"
+  - "URL analysis"
+
+id: "2c486fe0-506d-5498-bb19-dbe58904f9dc"
diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml
@@ -12,7 +12,7 @@ source: |
           .file_extension == "pdf"
           and any(file.explode(.),
                   any(.scan.pdf.urls,
-                      regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)')
+                      regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)\b')
                       and .domain.root_domain not in $tranco_1m
                   )
           )

diff --git a/detection-rules/body_extortion.yml b/detection-rules/body_extortion.yml
@@ -7,9 +7,11 @@ type: "rule"
 severity: "low"
 source: |
   type.inbound
-  and any([body.html.display_text, body.plain.raw],
-          any(ml.nlu_classifier(.).intents, .name == "extortion" and .confidence == "high")
-          and (any(ml.nlu_classifier(.).entities, .name == "financial"))
+  and (
+  any(ml.nlu_classifier(body.current_thread.text).intents,
+      .name == "extortion" and .confidence == "high"
+  )
+  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial")
   )
   and (
     (

diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
@@ -15,7 +15,9 @@ source: |
         )
     )
     or any(ml.nlu_classifier(body.current_thread.text).intents,
-           .name in ("callback_scam") and .confidence == "high"
+           .name in ("callback_scam")
+           and .confidence == "high"
+           and length(body.current_thread.text) < 1500
     )
   )
   and not (

diff --git a/detection-rules/file_sharing_link_suspicious_subject.yml b/detection-rules/file_sharing_link_suspicious_subject.yml
@@ -16,6 +16,7 @@ source: |
     )
   )
   and regex.icontains(subject.subject, 'immediately', 'urgent')
+  and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
   and (
     (
       sender.email.domain.root_domain in $free_email_providers

diff --git a/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml b/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml
@@ -5,7 +5,7 @@ severity: "medium"
 source: |
   type.inbound
   and any(ml.nlu_classifier(body.current_thread.text).intents,
-          .name in ("bec") and .confidence in ("medium", "high")
+          .name in ("bec") and .confidence == "high"
   )
   and (
     headers.return_path.domain.root_domain in $free_email_providers
@@ -21,6 +21,24 @@ source: |
     )
   )
   and sender.email.domain.root_domain not in $free_email_providers
+  
+  // negate gmail autoforwards and null return paths
+  and (
+    headers.return_path.email is null
+    or not any([headers.return_path.email], strings.ilike(headers.return_path.local_part, "*+caf_=*"))
+  )
+  
+  // negate listservs
+  and not (
+    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
+    and strings.contains(sender.display_name, "via")
+  )
+  
+  // negate legit replies
+  and not (
+    length(headers.references) > 0
+    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+  )
 attack_types:
   - "BEC/Fraud"
 tactics_and_techniques:

diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml
@@ -14,7 +14,7 @@ source: |
   )
   and (
     regex.icontains(sender.display_name,
-                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com)'
+                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com)|ᵃ⤻ᶻ'
     )
     or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
     or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
@@ -25,9 +25,15 @@ source: |
       and sender.email.domain.root_domain in $free_email_providers
     )
   )
+  // negate listservs
+  and not (
+      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
+      and strings.contains(sender.display_name, "via")
+  )
   and sender.email.domain.root_domain not in~ (
     'amazon.com',
     'amazon.com.au',
+    'amazon.com.be',
     'amazon.co.uk',
     'amazon.de',
     'amazon.es',

diff --git a/detection-rules/impersonation_fedex.yml b/detection-rules/impersonation_fedex.yml
@@ -13,7 +13,7 @@ source: |
     or strings.ilike(sender.email.domain.domain, '*fedex*')
   )
   // sedex.com is not affiliated with FedEx, but is an apparent FP
-  and sender.email.domain.root_domain not in~ ('fedex.com', 'sedex.com')
+  and sender.email.domain.root_domain not in~ ('fedex.com', 'sedex.com', 'myworkday.com')
   and sender.email.email not in $sender_emails
 attack_types:
   - "Credential Phishing"
-Original file line number
+Diff line change
@@ Expand Up / @@ -16,6 +16,7 @@ source: | @@
         )
       )
       and regex.icontains(subject.subject, 'immediately', 'urgent')
+      and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
       and (
         (
           sender.email.domain.root_domain in $free_email_providers
@@ Expand Down @@