Bulk shot at FTS and unsolicited updates

sublime-security · Sep 22, 2023 · f241c99 · f241c99
1 parent 0fe0450
commit f241c99
Show file tree

Hide file tree

Showing 95 changed files with 192 additions and 768 deletions.
diff --git a/detection-rules/attachment_adobe_image_lure_fts.yml b/detection-rules/attachment_adobe_image_lure_fts.yml
@@ -20,14 +20,8 @@ source: |
           )
   )
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $sender_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $sender_domains
-    )
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 attack_types:
   - "Malware/Ransomware"

diff --git a/detection-rules/attachment_any_html_in_archive_unsolicited.yml b/detection-rules/attachment_any_html_in_archive_unsolicited.yml
@@ -14,14 +14,8 @@ source: |
           and any(file.explode(.), .depth > 0 and .file_extension in~ ("html", "htm"))
   )
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $recipient_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $recipient_domains
-    )
+    not profile.by_sender().solicited
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 tags:
   - "Attack surface reduction"

diff --git a/detection-rules/attachment_any_html_new_sender.yml b/detection-rules/attachment_any_html_new_sender.yml
@@ -14,14 +14,8 @@ source: |
 
   // first-time sender
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $sender_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $sender_domains
-    )
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 tags:
   - "Attack surface reduction"

diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml
@@ -14,14 +14,8 @@ source: |
 
   // unsolicited
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $recipient_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $recipient_domains
-    )
+    not profile.by_sender().solicited
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 tags:
   - "Attack surface reduction"

diff --git a/detection-rules/attachment_callback_phish_with_img.yml b/detection-rules/attachment_callback_phish_with_img.yml
@@ -10,14 +10,8 @@ severity: "high"
 source: |
   type.inbound
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $recipient_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $recipient_domains
-    )
+    not profile.by_sender().solicited
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
   and sender.email.domain.root_domain in $free_email_providers
   and any(attachments,

diff --git a/detection-rules/attachment_callback_phish_with_pdf.yml b/detection-rules/attachment_callback_phish_with_pdf.yml
@@ -8,14 +8,8 @@ severity: "high"
 source: |
   type.inbound
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $recipient_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $recipient_domains
-    )
+    not profile.by_sender().solicited
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 
   // single attachment

diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml
@@ -26,14 +26,8 @@ source: |
           )
   )
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $sender_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $sender_domains
-    )
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 attack_types:
   - "Credential Phishing"

diff --git a/detection-rules/attachment_dropbox_image_suspicious_links.yml b/detection-rules/attachment_dropbox_image_suspicious_links.yml
@@ -14,14 +14,8 @@ source: |
           )
   )
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $sender_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $sender_domains
-    )
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 attack_types:
   - "Credential Phishing"

diff --git a/detection-rules/attachment_eml_cred_theft.yml b/detection-rules/attachment_eml_cred_theft.yml
@@ -32,14 +32,8 @@ source: |
 
   // unsolicited
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $recipient_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $recipient_domains
-    )
+    not profile.by_sender().solicited
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 attack_types:
   - "Credential Phishing"

diff --git a/detection-rules/attachment_eml_with_html_attachment.yml b/detection-rules/attachment_eml_with_html_attachment.yml
@@ -43,14 +43,8 @@ source: |
 
   // unsolicited
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $recipient_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $recipient_domains
-    )
+    not profile.by_sender().solicited
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 tags:
   - "Attack surface reduction"

diff --git a/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml b/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml
@@ -19,14 +19,8 @@ source: |
           )
   )
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $sender_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $sender_domains
-    )
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 tags:
   - "Malfam: Emotet"

diff --git a/detection-rules/attachment_encrypted_ole_unsolicited.yml b/detection-rules/attachment_encrypted_ole_unsolicited.yml
@@ -13,14 +13,8 @@ source: |
           and file.oletools(.).indicators.encryption.exists
   )
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $recipient_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $recipient_domains
-    )
+    not profile.by_sender().solicited
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 attack_types:
   - "Malware/Ransomware"

diff --git a/detection-rules/attachment_html_attachment_login_page.yml b/detection-rules/attachment_html_attachment_login_page.yml
@@ -70,14 +70,8 @@ source: |
   )
   // Unsolicited
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $recipient_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $recipient_domains
-    )
+    not profile.by_sender().solicited
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 attack_types:
   - "Credential Phishing"

diff --git a/detection-rules/attachment_html_smuggling_double_encoded_zip.yml b/detection-rules/attachment_html_smuggling_double_encoded_zip.yml
@@ -13,14 +13,8 @@ authors:
 source: |
   type.inbound
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $sender_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $sender_domains
-    )
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
   and any(attachments,
           .file_extension in ("html", "htm")

diff --git a/detection-rules/attachment_html_smuggling_microsoft_signin.yml b/detection-rules/attachment_html_smuggling_microsoft_signin.yml
@@ -25,14 +25,8 @@ source: |
           )
   )
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $recipient_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $recipient_domains
-    )
+    not profile.by_sender().solicited
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
   // allow Microsoft domains just to be safe
   and sender.email.domain.root_domain not in~ ('microsoft.com', 'microsoftsupport.com', 'office.com')

diff --git a/detection-rules/attachment_js_file_execution.yml b/detection-rules/attachment_js_file_execution.yml
@@ -17,14 +17,8 @@ source: |
   )
   // first-time sender
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $sender_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $sender_domains
-    )
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 tags:
   - "Attack surface reduction"

diff --git a/detection-rules/attachment_malwarebazaar.yml b/detection-rules/attachment_malwarebazaar.yml
@@ -6,14 +6,8 @@ source: |
   type.inbound
   and any(attachments, .sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters)
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $sender_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $sender_domains
-    )
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 tags:
   - "Abusech: MalwareBazaar"

diff --git a/detection-rules/attachment_mht_embedded_vbscript.yml b/detection-rules/attachment_mht_embedded_vbscript.yml
@@ -17,14 +17,8 @@ source: |
 
   // unsolicited
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $recipient_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $recipient_domains
-    )
+    not profile.by_sender().solicited
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 attack_types:
   - "Malware/Ransomware"

diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml
@@ -37,14 +37,8 @@ source: |
   )
   // unsolicited
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $recipient_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $recipient_domains
-    )
+    not profile.by_sender().solicited
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 attack_types:
   - "Credential Phishing"

diff --git a/detection-rules/attachment_office365_image.yml b/detection-rules/attachment_office365_image.yml
@@ -56,14 +56,8 @@ source: |
   )
   // unsolicited
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $recipient_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $recipient_domains
-    )
+    not profile.by_sender().solicited
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 attack_types:
   - "Credential Phishing"

diff --git a/detection-rules/attachment_office_file_relationship_cred_theft.yml b/detection-rules/attachment_office_file_relationship_cred_theft.yml
@@ -23,14 +23,8 @@ source: |
           )
   )
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $sender_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $sender_domains
-    )
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 attack_types:
   - "Credential Phishing"

diff --git a/detection-rules/attachment_pdf_link_to_dmg.yml b/detection-rules/attachment_pdf_link_to_dmg.yml
@@ -43,14 +43,8 @@ source: |
   
   // first time sender
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $sender_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $sender_domains
-    )
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 tags: 
   - "Malfam: MetaStealer"

diff --git a/detection-rules/attachment_pdf_linking_to_password_protected_file.yml b/detection-rules/attachment_pdf_linking_to_password_protected_file.yml
@@ -19,14 +19,8 @@ source: |
           )
   )
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $sender_emails
-    )
-    or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $sender_domains
-    )
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
   )
 attack_types:
   - "Malware/Ransomware"