Merge branch 'main' into aiden.new.hardbacon

.github/workflows/clear-old-test-rules.yml

@@ -26,12 +26,15 @@ jobs:
         uses: actions/github-script@v4
         with:
           script: |
-            github.pulls.list({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              state: 'open'
-            }).then((result) => {
-              const openPRs = result.data.map(pr => pr.number);
+            github.paginate(
+              github.pulls.list,
+              {
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                state: 'open',
+              },
+              (response) => response.data.map((pr) => pr.number)
+            ).then((openPRs) => {
               console.log(`::set-output name=open_prs::${openPRs.join(',')}`);
             });
 
@@ -43,6 +46,8 @@ jobs:
             echo "This is a forked repository. Skipping the job."
             exit 0
           fi
+          
+          echo "Open PRs: [$OPEN_PRS]"
 
           echo "Scheduled cleanup" > message.txt
           echo "" >> message.txt
@@ -61,6 +66,7 @@ jobs:
               fi
             done
           
+            echo "$file is in open PR: $in_open_pr. File PR num: $file_pr_num"
             if [[ "$in_open_pr" = "false" ]]; then
                 rm $file
                 echo "Removed $file_pr_num" >> ../message.txt

detection-rules/abuse_docsend_new_domain.yml

@@ -0,0 +1,37 @@
+name: "Service Abuse: DocSend Share From Newly Registered Domain"
+description: "This Attack Surface Reduction (ASR) rule matches on DocSend notifications with recently registered reply-to domains."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  
+  // Legitimate DocSend sending infratructure
+  and sender.email.email == "[email protected]"
+  and headers.auth_summary.spf.pass
+  and headers.auth_summary.dmarc.pass
+
+  // the message needs to have a reply-to address
+  and length(headers.reply_to) > 0
+  
+  // reply-to email address has never received an email from your org
+  and not any(headers.reply_to, .email.email in $recipient_emails)
+  
+  // new reply-to
+  and any(headers.reply_to,
+          network.whois(.email.domain).days_old < 30
+  )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Free file host"
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "3bc152f2-6722-57be-b924-055c35fa1e60"

detection-rules/abuse_docsend_unsolicited_reply-to.yml

@@ -0,0 +1,56 @@
+name: "Service Abuse: DocSend Share From an Unsolicited Reply-To Address"
+description: "DocSend shares which contain a reply-to address or domain that has not been previously observed by the recipient organization."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+
+  // Legitimate DocSend sending infratructure
+  and sender.email.email == "[email protected]"
+  and headers.auth_summary.spf.pass
+  and headers.auth_summary.dmarc.pass
+
+  // the message needs to have a reply-to address
+  and length(headers.reply_to) > 0
+
+  // reply-to email address has never been sent an email by the org
+  and not (
+    any(headers.reply_to, .email.email in $recipient_emails)
+    // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains
+    or any(filter(headers.reply_to,
+                  // filter the list to only emails that are not in free_email_providers
+                  (
+                    .email.domain.domain not in $free_email_providers
+                    or .email.domain.root_domain not in $free_email_providers
+                  )
+           ),
+           .email.domain.domain in $recipient_domains
+    )
+  )
+  // reply-to address has never sent an email to the org
+  and not (
+    any(headers.reply_to, .email.email in $sender_emails)
+    // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains
+    or any(filter(headers.reply_to,
+                  // filter the list to only emails that are not in free_email_providers
+                  (
+                    .email.domain.domain not in $free_email_providers
+                    or .email.domain.root_domain not in $free_email_providers
+                  )
+           ),
+           .email.domain.domain in $sender_domains
+    )
+  )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Free file host"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "b377e64c-21bd-5040-86ec-534e545a42db"

detection-rules/abuse_docusign_sus_names.yml

@@ -42,7 +42,7 @@ source: |
                       or .email.domain.domain not in $free_email_providers
                     )
              ),
-             .email.domain.root_domain in $sender_domains
+             .email.domain.domain in $sender_domains
       )
     )
   

detection-rules/abuse_docusign_unsolicited_reply-to.yml

@@ -41,10 +41,10 @@ source: |
                   // filter the list to only emails that are not in free_email_providers
                   (
                     .email.domain.domain not in $free_email_providers
-                    or .email.domain.domain not in $free_email_providers
+                    or .email.domain.root_domain not in $free_email_providers
                   )
            ),
-           .email.domain.root_domain in $sender_domains
+           .email.domain.domain in $sender_domains
     )
   )
 tags:

detection-rules/abuse_dropbox_sus_names.yml

@@ -58,8 +58,10 @@ source: |
     // the filename is also contianed in the subject line
     or
     (
+      // untitled.paper
+      regex.icontains(subject.subject, 'shared.*\"Untitled.paper')
       // scanner themed
-      regex.icontains(subject.subject, 'shared.*\".*scanne[rd]')
+      or regex.icontains(subject.subject, 'shared.*\".*scanne[rd]')
       // image theme
       or regex.icontains(subject.subject, 'shared.*\".*_IMG_')
       or regex.icontains(subject.subject, 'shared.*\".*IMG[_-](?:\d|\W)+\"')

detection-rules/abuse_dropbox_unsolicited_reply-to.yml

@@ -0,0 +1,59 @@
+name: "Service Abuse: Dropbox Share From an Unsolicited Reply-To Address"
+description: "This rule detects Dropbox share notifications which contain a reply-to address or domain that has not been previously observed sending messages to or receiving messages from the recipient organization."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  
+  // Legitimate Dropbox sending infratructure
+  and sender.email.email == "[email protected]"
+  and headers.auth_summary.spf.pass
+  and headers.auth_summary.dmarc.pass
+  and strings.ends_with(headers.auth_summary.spf.details.designator,
+                        '.dropbox.com'
+  )
+  and strings.icontains(subject.subject, 'shared')
+  and strings.icontains(subject.subject, 'with you')
+  
+  and length(headers.reply_to) > 0
+  // reply-to email address has never been sent an email by the org
+  and not (
+    any(headers.reply_to, .email.email in $recipient_emails)
+    // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains
+    or any(filter(headers.reply_to,
+                  // filter the list to only emails that are not in free_email_providers
+                  (
+                    .email.domain.domain not in $free_email_providers
+                    or .email.domain.root_domain not in $free_email_providers
+                  )
+           ),
+           .email.domain.domain in $recipient_domains
+    )
+  )
+  // reply-to address has never sent an email to the org
+  and not (
+    any(headers.reply_to, .email.email in $sender_emails)
+    // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains
+    or any(filter(headers.reply_to,
+                  // filter the list to only emails that are not in free_email_providers
+                  (
+                    .email.domain.domain not in $free_email_providers
+                    or .email.domain.root_domain not in $free_email_providers
+                  )
+           ),
+           .email.domain.domain in $sender_domains
+    )
+  )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Callback Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Sender analysis"
+  - "Header analysis"
+  - "Content analysis"
+id: "50a1499f-bb59-5ee0-b4f4-e3cc84a5c41e"

detection-rules/abuse_google_drive_unsolicited_reply-to.yml

@@ -0,0 +1,57 @@
+name: "Service Abuse: Google Drive Share From an Unsolicited Reply-To Address"
+description: "Identifies messages appearing to come from Google Drive sharing notifications that contain a reply-to address not previously seen in organizational communications. This tactic exploits trust in legitimate Google services while attempting to establish unauthorized communication channels."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and sender.email.email in (
+    '[email protected]',
+    '[email protected]',
+  )
+  and not any(headers.reply_to, .email.domain.domain in $org_domains)
+  
+  // the message needs to have a reply-to address
+  and length(headers.reply_to) > 0
+  
+  // reply-to email address has never been sent an email by the org
+  and not (
+    any(headers.reply_to, .email.email in $recipient_emails)
+    // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains
+    or any(filter(headers.reply_to,
+                  // filter the list to only emails that are not in free_email_providers
+                  (
+                    .email.domain.domain not in $free_email_providers
+                    or .email.domain.root_domain not in $free_email_providers
+                  )
+           ),
+           .email.domain.domain in $recipient_domains
+    )
+  )
+  // reply-to address has never sent an email to the org
+  and not (
+    any(headers.reply_to, .email.email in $sender_emails)
+    // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains
+    or any(filter(headers.reply_to,
+                  // filter the list to only emails that are not in free_email_providers
+                  (
+                    .email.domain.domain not in $free_email_providers
+                    or .email.domain.root_domain not in $free_email_providers
+                  )
+           ),
+           .email.domain.root_domain in $sender_domains
+    )
+  )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "BEC/Fraud"
+  - "Callback Phishing"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Free email provider"
+  - "Social engineering"
+  - "Free file host"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+id: "4581ec0c-aed2-50ed-8e16-2c9ca1d350ff"

detection-rules/abuse_quickbooks_impersonation_intuit.yml

@@ -0,0 +1,43 @@
+name: "Brand Impersonation: QuickBooks Notification From Intuit Themed Company Name"
+description: "This detection rule matches on QuickBooks notifications that feature company names impersonating Intuit and QuickBooks."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  
+  // Legitimate Intuit sending infratructure
+  and sender.email.email == "[email protected]"
+  and headers.auth_summary.spf.pass
+  and headers.auth_summary.dmarc.pass
+  and strings.ends_with(headers.auth_summary.spf.details.designator,
+                        '.intuit.com'
+  )
+  and (
+    // subject also contains the company name
+    strings.icontains(subject.subject, "Quickbooks")
+    or strings.icontains(subject.subject, "Intuit")
+    // the reply-to contains Inuit Themes
+    or any(headers.reply_to,
+           (
+             strings.icontains(.email.email, 'intuit')
+             or strings.icontains(.email.domain.domain, 'quickbooks')
+           )
+           and not (.email.domain.root_domain in ('intuit.com', 'quickbooks.com'))
+    )
+    // the "company" part of the message
+    or regex.icontains(body.html.raw,
+                       '<p class="companyName info-line" style="margin: 0; line-height: 1.5em; font-weight: 600;">.*(?:Intuit|Quickbooks).*</p></div>'
+    )
+  )
+attack_types:
+  - "Callback Phishing"
+  - "Credential Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+  - "Header analysis"
+id: "42058fc4-d700-5bc3-9ee9-91641d9343c2"

detection-rules/abuse_quickbooks_new_domain.yml

@@ -0,0 +1,45 @@
+name: "Service Abuse: QuickBooks Notification From New Domain"
+description: "This Attack Surface Reduction (ASR) rule matches on QuickBooks notifications with recently registered reply-to domains."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  
+  // Legitimate Intuit sending infratructure
+  and sender.email.email == "[email protected]"
+  and headers.auth_summary.spf.pass
+  and headers.auth_summary.dmarc.pass
+  and strings.ends_with(headers.auth_summary.spf.details.designator,
+                        '.intuit.com'
+  )
+  
+  // remove payment confirmation messages
+  and not strings.starts_with(subject.subject, 'Payment confirmation:')
+  
+  // the message needs to have a reply-to address
+  and length(headers.reply_to) > 0
+  
+  // reply-to email address has never received an email from your org
+  and not any(headers.reply_to, .email.email in $recipient_emails)
+  
+  // new reply-to
+  and any(filter(headers.reply_to,
+                 // negate .com.au which doesn't provide created date for domains
+                 .email.domain.tld not in ('com.au')
+          ),
+          network.whois(.email.domain).days_old < 30
+  )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Callback Phishing"
+  - "Credential Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+  - "Header analysis"
+id: "c4f46473-0f5a-56d6-bb7e-489460bdb20f"