From ecded4cd6aa8105872ba02d36ab219f82bf07ff9 Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Fri, 10 May 2024 18:56:11 +0000 Subject: [PATCH] Sync from PR#1097 New rule: attachment_suspicious_message_fake_lure.yml by @aidenmitchell https://github.com/sublime-security/sublime-rules/pull/1097 Source SHA c60a44f28c69567a1975ce57850945e2663064df Triggered by @morriscode --- ...ttachment_suspicious_message_fake_lure.yml | 264 ++++++++++++++++++ 1 file changed, 264 insertions(+) create mode 100644 detection-rules/attachment_suspicious_message_fake_lure.yml diff --git a/detection-rules/attachment_suspicious_message_fake_lure.yml b/detection-rules/attachment_suspicious_message_fake_lure.yml new file mode 100644 index 00000000000..9b492343388 --- /dev/null +++ b/detection-rules/attachment_suspicious_message_fake_lure.yml @@ -0,0 +1,264 @@ +name: "Suspicious message with fake attachment lure" +description: "This rule detects messages with a fake attachment lure with suspicious indicators in the subject or display name from an unsolicited sender." +type: "rule" +severity: "high" +source: | + type.inbound + and ( // sender domain matches no body domains + length(body.links) > 0 + and all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain) + ) + + // suspicious subject or display name + and ( + regex.icontains(subject.subject, + "termination.*notice", + "38417", + ":completed", + "[il1]{2}mit.*ma[il1]{2} ?bo?x", + "[il][il][il]egai[ -]", + "[li][li][li]ega[li] attempt", + "[ng]-?[io]n .*block", + "[ng]-?[io]n .*cancel", + "[ng]-?[io]n .*deactiv", + "[ng]-?[io]n .*disabl", + "action.*required", + "abandon.*package", + "about.your.account", + "acc(ou)?n?t (is )?on ho[li]d", + "acc(ou)?n?t.*terminat", + "acc(oun)?t.*[il1]{2}mitation", + "access.*limitation", + "account (will be )?block", + "account.*de-?activat", + "account.*locked", + "account.*re-verification", + "account.*security", + "account.*suspension", + "account.has.been", + "account.has.expired", + "account.will.be.blocked", + "account v[il]o[li]at", + "activity.*acc(oun)?t", + "almost.full", + "app[li]e.[il]d", + "authenticate.*account", + "been.*suspend", + "clos.*of.*account.*processed", + "confirm.your.account", + "courier.*able", + "deactivation.*in.*progress", + "delivery.*attempt.*failed", + "document.received", + "documented.*shared.*with.*you", + "dropbox.*document", + "e-?ma[il1]+ .{010}suspen", + "e-?ma[il1]{1} user", + "e-?ma[il1]{2} acc", + "e-?ma[il1]{2}.*up.?grade", + "e.?ma[il1]{2}.*server", + "e.?ma[il1]{2}.*suspend", + "email.update", + "faxed you", + "fraud(ulent)?.*charge", + "from.helpdesk", + "fu[il1]{2}.*ma[il1]+[ -]?box", + "has.been.*suspended", + "has.been.limited", + "have.locked", + "he[li]p ?desk upgrade", + "heipdesk", + "i[il]iega[il]", + "ii[il]ega[il]", + "incoming e?mail", + "incoming.*fax", + "lock.*security", + "ma[il1]{1}[ -]?box.*quo", + "ma[il1]{2}[ -]?box.*fu[il1]", + "ma[il1]{2}box.*[il1]{2}mit", + "ma[il1]{2}box stor", + "mail on.?hold", + "mail.*box.*migration", + "mail.*de-?activat", + "mail.update.required", + "mails.*pending", + "messages.*pending", + "missed.*shipping.*notification", + "missed.shipment.notification", + "must.update.your.account", + "new [sl][io]g?[nig][ -]?in from", + "new voice ?-?mail", + "notifications.*pending", + "office.*3.*6.*5.*suspend", + "office365", + "on google docs with you", + "online doc", + "password.*compromised", + "periodic maintenance", + "potential(ly)? unauthorized", + "refund not approved", + "report", + "revised.*policy", + "scam", + "scanned.?invoice", + "secured?.update", + "security breach", + "securlty", + "signed.*delivery", + "status of your .{314}? ?delivery", + "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty", + "suspicious.*sign.*[io]n", + "suspicious.activit", + "temporar(il)?y deactivate", + "temporar[il1]{2}y disab[li]ed", + "temporarily.*lock", + "un-?usua[li].activity", + "unable.*deliver", + "unauthorized.*activit", + "unauthorized.device", + "undelivered message", + "unread.*doc", + "unusual.activity", + "upgrade.*account", + "upgrade.notice", + "urgent message", + "urgent.verification", + "v[il1]o[li1]at[il1]on security", + "va[il1]{1}date.*ma[il1]{2}[ -]?box", + "verification ?-?require", + "verification( )?-?need", + "verify.your?.account", + "web ?-?ma[il1]{2}", + "web[ -]?ma[il1]{2}", + "will.be.suspended", + "your (customer )?account .as", + "your.office.365", + "your.online.access" + ) + or any($suspicious_subjects, strings.icontains(subject.subject, .)) + or regex.icontains(sender.display_name, + "Admin", + "Administrator", + "Alert", + "Assistant", + "Billing", + "Benefits", + "Bonus", + "CEO", + "CFO", + "CIO", + "CTO", + "Chairman", + "Claim", + "Confirm", + "Critical", + "Customer Service", + "Deal", + "Discount", + "Director", + "Exclusive", + "Executive", + "Fax", + "Free", + "Gift", + "/bHR/b", + "Helpdesk", + "Human Resources", + "Immediate", + "Important", + "Info", + "Information", + "Invoice", + '\bIT\b', + "Legal", + "Lottery", + "Management", + "Manager", + "Member Services", + "Notification", + "Offer", + "Operations", + "Order", + "Partner", + "Payment", + "Payroll", + "President", + "Premium", + "Prize", + "Receipt", + "Refund", + "Registrar", + "Required", + "Reward", + "Sales", + "Secretary", + "Security", + "Service", + "Signature", + "Storage", + "Support", + "Sweepstakes", + "System", + "Tax", + "Team", + "Tech Support", + "Update", + "Upgrade", + "Urgent", + "Validate", + "Verify", + "VIP", + "Webmaster", + "Winner", + ) + ) + + // fake attachment + and ( + any(attachments, + ( + .file_extension in $file_types_images + or (.file_extension == "pdf" or .file_type == "pdf") + ) + and ( + any(ml.logo_detect(.).brands, .name == "FakeAttachment") + or any(ml.logo_detect(beta.message_screenshot()).brands, + .name == "FakeAttachment" + ) + ) + ) + ) + and ( + not profile.by_sender().solicited + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + and not profile.by_sender().any_false_positives +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Image as content" + - "Social engineering" +detection_methods: + - "Content analysis" + - "File analysis" + - "Header analysis" + - "Sender analysis" +id: "c2b9768d-8299-5033-9eaa-3cd7da0cef7f" +testing_pr: 1097 +testing_sha: c60a44f28c69567a1975ce57850945e2663064df