From f241c999bae634bf44f3c120394b8448fad39547 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 22 Sep 2023 12:06:19 -0400 Subject: [PATCH] Bulk shot at FTS and unsolicited updates --- .../attachment_adobe_image_lure_fts.yml | 10 ++-------- ...chment_any_html_in_archive_unsolicited.yml | 10 ++-------- .../attachment_any_html_new_sender.yml | 10 ++-------- .../attachment_any_html_unsolicited.yml | 10 ++-------- .../attachment_callback_phish_with_img.yml | 10 ++-------- .../attachment_callback_phish_with_pdf.yml | 10 ++-------- ...chment_docusign_image_suspicious_links.yml | 10 ++-------- ...achment_dropbox_image_suspicious_links.yml | 10 ++-------- detection-rules/attachment_eml_cred_theft.yml | 10 ++-------- .../attachment_eml_with_html_attachment.yml | 10 ++-------- ...hment_emotet_heavily_padded_doc_in_zip.yml | 10 ++-------- .../attachment_encrypted_ole_unsolicited.yml | 10 ++-------- .../attachment_html_attachment_login_page.yml | 10 ++-------- ...ment_html_smuggling_double_encoded_zip.yml | 10 ++-------- ...chment_html_smuggling_microsoft_signin.yml | 10 ++-------- .../attachment_js_file_execution.yml | 10 ++-------- detection-rules/attachment_malwarebazaar.yml | 10 ++-------- .../attachment_mht_embedded_vbscript.yml | 10 ++-------- ...ttachment_microsoft_image_lure_qr_code.yml | 10 ++-------- .../attachment_office365_image.yml | 10 ++-------- ...nt_office_file_relationship_cred_theft.yml | 10 ++-------- .../attachment_pdf_link_to_dmg.yml | 10 ++-------- ...pdf_linking_to_password_protected_file.yml | 10 ++-------- ...ow_reputation_link_to_suspicious_files.yml | 10 ++-------- ...f_with_low_reputation_link_to_zip_file.yml | 10 ++-------- .../attachment_soliciting_enable_macros.yml | 10 ++-------- ...suspicious_vba_macro_first_time_sender.yml | 10 ++-------- .../attachment_svg_embedded_js.yml | 10 ++-------- ...chment_vba_macro_auto_exec_unsolicited.yml | 10 ++-------- ...chment_vba_macro_auto_open_unsolicited.yml | 10 ++-------- ...hment_vba_macro_employee_impersonation.yml | 10 ++-------- .../attachment_vba_macro_high_risk.yml | 10 ++-------- ...achment_with_encrypted_zip_unsolicited.yml | 10 ++-------- ...ent_with_suspicious_author_unsolicited.yml | 10 ++-------- ...with_unknown_encrypted_zip_unsolicited.yml | 10 ++-------- ...y_business_email_compromise_new_sender.yml | 10 ++-------- ..._business_email_compromise_unsolicited.yml | 10 ++-------- .../body_callback_phishing_no_attachment.yml | 10 ++-------- detection-rules/body_job_scam_new_sender.yml | 10 ++-------- ...lback_phishing_nlu_body_or_attachments.yml | 10 ++-------- ...ing_link_from_suspicious_sender_domain.yml | 10 ++-------- .../file_sharing_link_suspicious_subject.yml | 10 ++-------- ...d_recipients_no_links_freemail_replyto.yml | 10 ++-------- ...headers_replyto_new_domain_nlu_request.yml | 10 ++-------- .../headers_russia_return_path.yml | 10 ++-------- .../impersonation_amazon_suspicious_text.yml | 10 ++-------- detection-rules/impersonation_barracuda.yml | 10 ++-------- detection-rules/impersonation_chase.yml | 10 ++-------- detection-rules/impersonation_dhl.yml | 10 ++-------- detection-rules/impersonation_docusign.yml | 10 ++-------- .../impersonation_employee_payroll_fraud.yml | 10 ++-------- .../impersonation_employee_subject.yml | 10 ++-------- .../impersonation_employee_urgent_request.yml | 10 ++-------- ...hread_mismatched_from_freemail_replyto.yml | 10 ++-------- detection-rules/impersonation_finra.yml | 10 ++-------- detection-rules/impersonation_github.yml | 10 ++-------- .../impersonation_human_resources.yml | 10 ++-------- detection-rules/impersonation_microsoft.yml | 10 ++-------- detection-rules/impersonation_paypal.yml | 10 ++-------- .../impersonation_recipient_domain.yml | 10 ++-------- ...tion_recipient_sld_in_sender_local_fts.yml | 10 ++-------- detection-rules/impersonation_ripple.yml | 10 ++-------- detection-rules/impersonation_spotify.yml | 10 ++-------- detection-rules/impersonation_stellar.yml | 10 ++-------- .../impersonation_sublime_security.yml | 10 ++-------- .../impersonation_vip_urgent_request.yml | 10 ++-------- detection-rules/inline_image_as_message.yml | 10 ++-------- detection-rules/link_credential_phishing.yml | 10 ++-------- ...l_phishing_intent_and_other_indicators.yml | 10 ++-------- ...ink_credential_phishing_secure_message.yml | 10 ++-------- ...hing_suspicious_sender_tld_and_signals.yml | 10 ++-------- ...credential_phishing_voicemail_language.yml | 10 ++-------- ...k_download_disk_image_in_encrypted_zip.yml | 10 ++-------- .../link_download_suspicious_file.yml | 10 ++-------- .../link_fake_fax_low_reputation.yml | 10 ++-------- .../link_google_apps_script_macro.yml | 10 ++-------- detection-rules/link_google_translate.yml | 10 ++-------- ...ink_html_smuggling_with_adobe_branding.yml | 10 ++-------- ...l_smuggling_with_google_drive_branding.yml | 10 ++-------- detection-rules/link_ipfs_phishing.yml | 10 ++-------- detection-rules/link_login_or_captcha.yml | 10 ++-------- .../link_microsoft_device_code_phish.yml | 10 ++-------- ...crosoft_impersonation_using_hosted_png.yml | 10 ++-------- ...k_new_domain_in_link_first_time_sender.yml | 10 ++-------- detection-rules/link_notion_file_share.yml | 10 ++-------- .../link_qr_code_suspicious_language_fts.yml | 10 ++-------- ...icious_language_undisclosed_recipients.yml | 10 ++-------- ..._campaign_recipient_address_new_sender.yml | 10 ++-------- detection-rules/open_redirect_avast.yml | 10 ++-------- ...pients_undisclosed_free_subdomain_host.yml | 10 ++-------- ...nder_new_from_domain_first_time_sender.yml | 10 ++-------- ...n_excessive_display_text_with_keywords.yml | 10 ++-------- detection-rules/spam_new_domain_emojis.yml | 10 ++-------- detection-rules/spam_url_shortener_emojis.yml | 10 ++-------- ...impersonation_attack_surface_reduction.yml | 20 ++++--------------- 95 files changed, 192 insertions(+), 768 deletions(-) diff --git a/detection-rules/attachment_adobe_image_lure_fts.yml b/detection-rules/attachment_adobe_image_lure_fts.yml index 78125362de3..eca3de8f1f9 100644 --- a/detection-rules/attachment_adobe_image_lure_fts.yml +++ b/detection-rules/attachment_adobe_image_lure_fts.yml @@ -20,14 +20,8 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Malware/Ransomware" diff --git a/detection-rules/attachment_any_html_in_archive_unsolicited.yml b/detection-rules/attachment_any_html_in_archive_unsolicited.yml index ddf0659e54e..a395e98ea3c 100644 --- a/detection-rules/attachment_any_html_in_archive_unsolicited.yml +++ b/detection-rules/attachment_any_html_in_archive_unsolicited.yml @@ -14,14 +14,8 @@ source: | and any(file.explode(.), .depth > 0 and .file_extension in~ ("html", "htm")) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Attack surface reduction" diff --git a/detection-rules/attachment_any_html_new_sender.yml b/detection-rules/attachment_any_html_new_sender.yml index cc22e73e915..d5f93a7c215 100644 --- a/detection-rules/attachment_any_html_new_sender.yml +++ b/detection-rules/attachment_any_html_new_sender.yml @@ -14,14 +14,8 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Attack surface reduction" diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml index 075feda5569..08793666497 100644 --- a/detection-rules/attachment_any_html_unsolicited.yml +++ b/detection-rules/attachment_any_html_unsolicited.yml @@ -14,14 +14,8 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Attack surface reduction" diff --git a/detection-rules/attachment_callback_phish_with_img.yml b/detection-rules/attachment_callback_phish_with_img.yml index e9ce44623c7..387dc91e72c 100644 --- a/detection-rules/attachment_callback_phish_with_img.yml +++ b/detection-rules/attachment_callback_phish_with_img.yml @@ -10,14 +10,8 @@ severity: "high" source: | type.inbound and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) and sender.email.domain.root_domain in $free_email_providers and any(attachments, diff --git a/detection-rules/attachment_callback_phish_with_pdf.yml b/detection-rules/attachment_callback_phish_with_pdf.yml index 1b6f24a320b..5b27207a674 100644 --- a/detection-rules/attachment_callback_phish_with_pdf.yml +++ b/detection-rules/attachment_callback_phish_with_pdf.yml @@ -8,14 +8,8 @@ severity: "high" source: | type.inbound and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) // single attachment diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml index 514b82554c1..46f50671da4 100644 --- a/detection-rules/attachment_docusign_image_suspicious_links.yml +++ b/detection-rules/attachment_docusign_image_suspicious_links.yml @@ -26,14 +26,8 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/attachment_dropbox_image_suspicious_links.yml b/detection-rules/attachment_dropbox_image_suspicious_links.yml index 1de0a856b31..ca116fbc212 100644 --- a/detection-rules/attachment_dropbox_image_suspicious_links.yml +++ b/detection-rules/attachment_dropbox_image_suspicious_links.yml @@ -14,14 +14,8 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/attachment_eml_cred_theft.yml b/detection-rules/attachment_eml_cred_theft.yml index a85a54f7777..d02c7670709 100644 --- a/detection-rules/attachment_eml_cred_theft.yml +++ b/detection-rules/attachment_eml_cred_theft.yml @@ -32,14 +32,8 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/attachment_eml_with_html_attachment.yml b/detection-rules/attachment_eml_with_html_attachment.yml index 68fac95489f..761fd71b9fc 100644 --- a/detection-rules/attachment_eml_with_html_attachment.yml +++ b/detection-rules/attachment_eml_with_html_attachment.yml @@ -43,14 +43,8 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Attack surface reduction" diff --git a/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml b/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml index b23bcff7ba2..e8e503fab69 100644 --- a/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml +++ b/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml @@ -19,14 +19,8 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Malfam: Emotet" diff --git a/detection-rules/attachment_encrypted_ole_unsolicited.yml b/detection-rules/attachment_encrypted_ole_unsolicited.yml index 6e591479b56..5b3027311cd 100644 --- a/detection-rules/attachment_encrypted_ole_unsolicited.yml +++ b/detection-rules/attachment_encrypted_ole_unsolicited.yml @@ -13,14 +13,8 @@ source: | and file.oletools(.).indicators.encryption.exists ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Malware/Ransomware" diff --git a/detection-rules/attachment_html_attachment_login_page.yml b/detection-rules/attachment_html_attachment_login_page.yml index 6f720efda3f..cf84bdeca2c 100644 --- a/detection-rules/attachment_html_attachment_login_page.yml +++ b/detection-rules/attachment_html_attachment_login_page.yml @@ -70,14 +70,8 @@ source: | ) // Unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/attachment_html_smuggling_double_encoded_zip.yml b/detection-rules/attachment_html_smuggling_double_encoded_zip.yml index d1d56ea9890..01f5ae128fe 100644 --- a/detection-rules/attachment_html_smuggling_double_encoded_zip.yml +++ b/detection-rules/attachment_html_smuggling_double_encoded_zip.yml @@ -13,14 +13,8 @@ authors: source: | type.inbound and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) and any(attachments, .file_extension in ("html", "htm") diff --git a/detection-rules/attachment_html_smuggling_microsoft_signin.yml b/detection-rules/attachment_html_smuggling_microsoft_signin.yml index 5bc76594293..c29fb7bf847 100644 --- a/detection-rules/attachment_html_smuggling_microsoft_signin.yml +++ b/detection-rules/attachment_html_smuggling_microsoft_signin.yml @@ -25,14 +25,8 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) // allow Microsoft domains just to be safe and sender.email.domain.root_domain not in~ ('microsoft.com', 'microsoftsupport.com', 'office.com') diff --git a/detection-rules/attachment_js_file_execution.yml b/detection-rules/attachment_js_file_execution.yml index 642e8a53016..7ddfea80f70 100644 --- a/detection-rules/attachment_js_file_execution.yml +++ b/detection-rules/attachment_js_file_execution.yml @@ -17,14 +17,8 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Attack surface reduction" diff --git a/detection-rules/attachment_malwarebazaar.yml b/detection-rules/attachment_malwarebazaar.yml index 96091611291..0521e513ab2 100644 --- a/detection-rules/attachment_malwarebazaar.yml +++ b/detection-rules/attachment_malwarebazaar.yml @@ -6,14 +6,8 @@ source: | type.inbound and any(attachments, .sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Abusech: MalwareBazaar" diff --git a/detection-rules/attachment_mht_embedded_vbscript.yml b/detection-rules/attachment_mht_embedded_vbscript.yml index dd75945472b..91cee0e78f8 100644 --- a/detection-rules/attachment_mht_embedded_vbscript.yml +++ b/detection-rules/attachment_mht_embedded_vbscript.yml @@ -17,14 +17,8 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Malware/Ransomware" diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml index 893ce305af0..8f3b790b10e 100644 --- a/detection-rules/attachment_microsoft_image_lure_qr_code.yml +++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml @@ -37,14 +37,8 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/attachment_office365_image.yml b/detection-rules/attachment_office365_image.yml index 012788a6b7a..44817ffd3ba 100644 --- a/detection-rules/attachment_office365_image.yml +++ b/detection-rules/attachment_office365_image.yml @@ -56,14 +56,8 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/attachment_office_file_relationship_cred_theft.yml b/detection-rules/attachment_office_file_relationship_cred_theft.yml index bf5dd44065f..7b7fd7873bd 100644 --- a/detection-rules/attachment_office_file_relationship_cred_theft.yml +++ b/detection-rules/attachment_office_file_relationship_cred_theft.yml @@ -23,14 +23,8 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/attachment_pdf_link_to_dmg.yml b/detection-rules/attachment_pdf_link_to_dmg.yml index da3da87d685..578e048d5ab 100644 --- a/detection-rules/attachment_pdf_link_to_dmg.yml +++ b/detection-rules/attachment_pdf_link_to_dmg.yml @@ -43,14 +43,8 @@ source: | // first time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Malfam: MetaStealer" diff --git a/detection-rules/attachment_pdf_linking_to_password_protected_file.yml b/detection-rules/attachment_pdf_linking_to_password_protected_file.yml index ee11e2e24b8..950cdf1f747 100644 --- a/detection-rules/attachment_pdf_linking_to_password_protected_file.yml +++ b/detection-rules/attachment_pdf_linking_to_password_protected_file.yml @@ -19,14 +19,8 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Malware/Ransomware" diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml index c89d21b1247..863a8a52f71 100644 --- a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml +++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml @@ -19,14 +19,8 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Malfam: Ave Maria" diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml index b198d9f3d6b..848c714fdc9 100644 --- a/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml +++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml @@ -20,14 +20,8 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Malfam: QakBot" diff --git a/detection-rules/attachment_soliciting_enable_macros.yml b/detection-rules/attachment_soliciting_enable_macros.yml index 3ba77138bc1..8567dc9d87e 100644 --- a/detection-rules/attachment_soliciting_enable_macros.yml +++ b/detection-rules/attachment_soliciting_enable_macros.yml @@ -19,14 +19,8 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Malware/Ransomware" diff --git a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml index c76d0b80421..fed5d46ade6 100644 --- a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml +++ b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml @@ -11,14 +11,8 @@ source: | and ml.macro_classifier(.).confidence in ("high") ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Malware/Ransomware" diff --git a/detection-rules/attachment_svg_embedded_js.yml b/detection-rules/attachment_svg_embedded_js.yml index 0daca577a33..5fe5d524af5 100644 --- a/detection-rules/attachment_svg_embedded_js.yml +++ b/detection-rules/attachment_svg_embedded_js.yml @@ -24,14 +24,8 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Malware/Ransomware" diff --git a/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml index 37e28fd0864..bfc97f1e0cc 100644 --- a/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml +++ b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml @@ -14,14 +14,8 @@ source: | and any(file.oletools(.).macros.keywords, .type =~ "autoexec") ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) // negate replies diff --git a/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml index 15d1abef2b1..0ae5f0e3741 100644 --- a/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml +++ b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml @@ -15,14 +15,8 @@ source: | and any(file.explode(.), any(.scan.vba.auto_exec, . == "AutoOpen")) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Malware/Ransomware" diff --git a/detection-rules/attachment_vba_macro_employee_impersonation.yml b/detection-rules/attachment_vba_macro_employee_impersonation.yml index 56297c4fc66..271ea3fdd4b 100644 --- a/detection-rules/attachment_vba_macro_employee_impersonation.yml +++ b/detection-rules/attachment_vba_macro_employee_impersonation.yml @@ -21,14 +21,8 @@ source: | and file.oletools(.).indicators.vba_macros.exists ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Malware/Ransomware" diff --git a/detection-rules/attachment_vba_macro_high_risk.yml b/detection-rules/attachment_vba_macro_high_risk.yml index 87e0802a0d1..f06cf544684 100644 --- a/detection-rules/attachment_vba_macro_high_risk.yml +++ b/detection-rules/attachment_vba_macro_high_risk.yml @@ -12,14 +12,8 @@ source: | and file.oletools(.).indicators.vba_macros.risk == "high" ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Malware/Ransomware" diff --git a/detection-rules/attachment_with_encrypted_zip_unsolicited.yml b/detection-rules/attachment_with_encrypted_zip_unsolicited.yml index 02c3d167ed8..49e6cfd4bd9 100644 --- a/detection-rules/attachment_with_encrypted_zip_unsolicited.yml +++ b/detection-rules/attachment_with_encrypted_zip_unsolicited.yml @@ -12,14 +12,8 @@ source: | and any(file.explode(.), any(.flavors.yara, . == 'encrypted_zip')) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Malware/Ransomware" diff --git a/detection-rules/attachment_with_suspicious_author_unsolicited.yml b/detection-rules/attachment_with_suspicious_author_unsolicited.yml index b1a0aefa868..78aa771d53d 100644 --- a/detection-rules/attachment_with_suspicious_author_unsolicited.yml +++ b/detection-rules/attachment_with_suspicious_author_unsolicited.yml @@ -13,14 +13,8 @@ source: | and any(file.explode(.), strings.ilike(.scan.docx.author, "root")) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Malware/Ransomware" diff --git a/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml b/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml index ea490e8480e..f043ca95997 100644 --- a/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml +++ b/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml @@ -16,14 +16,8 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Malware/Ransomware" diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml index 16fb9df2d5f..b218111d51a 100644 --- a/detection-rules/body_business_email_compromise_new_sender.yml +++ b/detection-rules/body_business_email_compromise_new_sender.yml @@ -23,14 +23,8 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "BEC/Fraud" diff --git a/detection-rules/body_business_email_compromise_unsolicited.yml b/detection-rules/body_business_email_compromise_unsolicited.yml index a3181b43bd8..6fd40af12bd 100644 --- a/detection-rules/body_business_email_compromise_unsolicited.yml +++ b/detection-rules/body_business_email_compromise_unsolicited.yml @@ -45,14 +45,8 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: diff --git a/detection-rules/body_callback_phishing_no_attachment.yml b/detection-rules/body_callback_phishing_no_attachment.yml index b946d070b17..fd92fb151da 100644 --- a/detection-rules/body_callback_phishing_no_attachment.yml +++ b/detection-rules/body_callback_phishing_no_attachment.yml @@ -9,14 +9,8 @@ source: | type.inbound and length(attachments) == 0 and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) and sender.email.domain.root_domain in $free_email_providers and strings.ilike(body.current_thread.text, diff --git a/detection-rules/body_job_scam_new_sender.yml b/detection-rules/body_job_scam_new_sender.yml index e8f38c799a2..50a87b80f75 100644 --- a/detection-rules/body_job_scam_new_sender.yml +++ b/detection-rules/body_job_scam_new_sender.yml @@ -11,14 +11,8 @@ source: | and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial") ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "BEC/Fraud" diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml index 2eaa5c00728..87e76a14a67 100644 --- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml +++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml @@ -25,14 +25,8 @@ source: | and strings.icontains(body.html.raw, "bigcommerce.com") ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Callback Phishing" diff --git a/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml b/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml index 025a1355b86..e9be31dabe1 100644 --- a/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml +++ b/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml @@ -8,14 +8,8 @@ source: | and any(body.links, .href_url.domain.domain in $free_file_hosts) and sender.email.domain.tld in $suspicious_tlds and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/file_sharing_link_suspicious_subject.yml b/detection-rules/file_sharing_link_suspicious_subject.yml index 88d8b23f04c..fa5ca5a9973 100644 --- a/detection-rules/file_sharing_link_suspicious_subject.yml +++ b/detection-rules/file_sharing_link_suspicious_subject.yml @@ -18,14 +18,8 @@ source: | and regex.icontains(subject.subject, 'immediately', 'urgent') and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign") and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "BEC/Fraud" diff --git a/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml b/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml index f255d1269da..d36e5f33565 100644 --- a/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml +++ b/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml @@ -16,14 +16,8 @@ source: | and not .email.domain.domain == sender.email.domain.domain ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "BEC/Fraud" diff --git a/detection-rules/headers_replyto_new_domain_nlu_request.yml b/detection-rules/headers_replyto_new_domain_nlu_request.yml index ca6fcd540c8..2d14257af4e 100644 --- a/detection-rules/headers_replyto_new_domain_nlu_request.yml +++ b/detection-rules/headers_replyto_new_domain_nlu_request.yml @@ -27,14 +27,8 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "BEC/Fraud" diff --git a/detection-rules/headers_russia_return_path.yml b/detection-rules/headers_russia_return_path.yml index a1aa279d27f..ff0c342bf50 100644 --- a/detection-rules/headers_russia_return_path.yml +++ b/detection-rules/headers_russia_return_path.yml @@ -8,14 +8,8 @@ source: | and headers.return_path.domain.tld == "ru" and sender.email.email not in $recipient_emails and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "BEC/Fraud" diff --git a/detection-rules/impersonation_amazon_suspicious_text.yml b/detection-rules/impersonation_amazon_suspicious_text.yml index 018882fa9dc..a68e3a08c1b 100644 --- a/detection-rules/impersonation_amazon_suspicious_text.yml +++ b/detection-rules/impersonation_amazon_suspicious_text.yml @@ -35,14 +35,8 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) and sender.email.domain.root_domain not in~ ( 'amazon.com', diff --git a/detection-rules/impersonation_barracuda.yml b/detection-rules/impersonation_barracuda.yml index ac9b348cb8c..7cbe60a5b01 100644 --- a/detection-rules/impersonation_barracuda.yml +++ b/detection-rules/impersonation_barracuda.yml @@ -22,14 +22,8 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_chase.yml b/detection-rules/impersonation_chase.yml index 40990223d26..2ee37e4d653 100644 --- a/detection-rules/impersonation_chase.yml +++ b/detection-rules/impersonation_chase.yml @@ -24,14 +24,8 @@ source: | and sender.display_name not in~ ("chaser", "case") and sender.email.domain.root_domain not in~ ('chase.com', 'united.com', 'transunion.com', 'shopping-chase.com') and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_dhl.yml b/detection-rules/impersonation_dhl.yml index 3fee425bae3..faf4e8f52dd 100644 --- a/detection-rules/impersonation_dhl.yml +++ b/detection-rules/impersonation_dhl.yml @@ -26,14 +26,8 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_docusign.yml b/detection-rules/impersonation_docusign.yml index 07d58391c7a..6e7f117f92d 100644 --- a/detection-rules/impersonation_docusign.yml +++ b/detection-rules/impersonation_docusign.yml @@ -53,14 +53,8 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_employee_payroll_fraud.yml b/detection-rules/impersonation_employee_payroll_fraud.yml index 253133f8f10..051a47ccb46 100644 --- a/detection-rules/impersonation_employee_payroll_fraud.yml +++ b/detection-rules/impersonation_employee_payroll_fraud.yml @@ -25,14 +25,8 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "BEC/Fraud" diff --git a/detection-rules/impersonation_employee_subject.yml b/detection-rules/impersonation_employee_subject.yml index 1897f23e05d..64e1e49a019 100644 --- a/detection-rules/impersonation_employee_subject.yml +++ b/detection-rules/impersonation_employee_subject.yml @@ -17,14 +17,8 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "BEC/Fraud" diff --git a/detection-rules/impersonation_employee_urgent_request.yml b/detection-rules/impersonation_employee_urgent_request.yml index 3f6978174c4..3dedd16b611 100644 --- a/detection-rules/impersonation_employee_urgent_request.yml +++ b/detection-rules/impersonation_employee_urgent_request.yml @@ -26,14 +26,8 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "BEC/Fraud" diff --git a/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml b/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml index 126d35c2cd8..5aaf6739e7e 100644 --- a/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml +++ b/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml @@ -11,14 +11,8 @@ source: | // First-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) // Reply-to is a freemail sender but From is not diff --git a/detection-rules/impersonation_finra.yml b/detection-rules/impersonation_finra.yml index 8922f317c38..00a8edc0f4e 100644 --- a/detection-rules/impersonation_finra.yml +++ b/detection-rules/impersonation_finra.yml @@ -15,14 +15,8 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_github.yml b/detection-rules/impersonation_github.yml index 8b3b3e79a5f..39f73095517 100644 --- a/detection-rules/impersonation_github.yml +++ b/detection-rules/impersonation_github.yml @@ -29,14 +29,8 @@ source: | 'lithub.com' ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml index 96c9e0d6bdc..5d11877830b 100644 --- a/detection-rules/impersonation_human_resources.yml +++ b/detection-rules/impersonation_human_resources.yml @@ -18,14 +18,8 @@ source: | and not length(ml.nlu_classifier(body.current_thread.text).intents) == 0 ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "BEC/Fraud" diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml index 19f7c44aa24..6e2def76b67 100644 --- a/detection-rules/impersonation_microsoft.yml +++ b/detection-rules/impersonation_microsoft.yml @@ -45,14 +45,8 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: diff --git a/detection-rules/impersonation_paypal.yml b/detection-rules/impersonation_paypal.yml index f8c180384a7..65e71fe72de 100644 --- a/detection-rules/impersonation_paypal.yml +++ b/detection-rules/impersonation_paypal.yml @@ -55,14 +55,8 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_recipient_domain.yml b/detection-rules/impersonation_recipient_domain.yml index d02e2a84f81..7a5460776d2 100644 --- a/detection-rules/impersonation_recipient_domain.yml +++ b/detection-rules/impersonation_recipient_domain.yml @@ -34,14 +34,8 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml b/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml index 193fc25d260..a979b2670f1 100644 --- a/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml +++ b/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml @@ -27,14 +27,8 @@ source: | ) and sender.email.domain.root_domain not in $org_domains and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_ripple.yml b/detection-rules/impersonation_ripple.yml index da3450cfb57..91f365ad60f 100644 --- a/detection-rules/impersonation_ripple.yml +++ b/detection-rules/impersonation_ripple.yml @@ -11,14 +11,8 @@ source: | and regex.imatch(sender.display_name, '\bripple\b') and sender.email.domain.root_domain not in ("ripple.com", "ripplejobs.co.uk") and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Cryptocurrency" diff --git a/detection-rules/impersonation_spotify.yml b/detection-rules/impersonation_spotify.yml index cfddbc55737..63b90c6376b 100644 --- a/detection-rules/impersonation_spotify.yml +++ b/detection-rules/impersonation_spotify.yml @@ -22,14 +22,8 @@ source: | and sender.email.domain.domain not in~ ('privaterelay.appleid.com') // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_stellar.yml b/detection-rules/impersonation_stellar.yml index 0a6c3a65b1e..e86e05a8831 100644 --- a/detection-rules/impersonation_stellar.yml +++ b/detection-rules/impersonation_stellar.yml @@ -11,14 +11,8 @@ source: | and regex.imatch(sender.display_name, '\bstellar\b') and sender.email.domain.root_domain != "stellar.org" and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Cryptocurrency" diff --git a/detection-rules/impersonation_sublime_security.yml b/detection-rules/impersonation_sublime_security.yml index 092022258c8..44b78d27727 100644 --- a/detection-rules/impersonation_sublime_security.yml +++ b/detection-rules/impersonation_sublime_security.yml @@ -14,14 +14,8 @@ source: | and sender.email.domain.domain != 'sublimesecurity.com' // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_vip_urgent_request.yml b/detection-rules/impersonation_vip_urgent_request.yml index a0b24a6fd91..e8111ff79ed 100644 --- a/detection-rules/impersonation_vip_urgent_request.yml +++ b/detection-rules/impersonation_vip_urgent_request.yml @@ -17,14 +17,8 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "BEC/Fraud" diff --git a/detection-rules/inline_image_as_message.yml b/detection-rules/inline_image_as_message.yml index ce0948fce12..d31a700f232 100644 --- a/detection-rules/inline_image_as_message.yml +++ b/detection-rules/inline_image_as_message.yml @@ -21,14 +21,8 @@ source: | ) and strings.ilike(body.html.raw, "*img*cid*") and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/link_credential_phishing.yml b/detection-rules/link_credential_phishing.yml index 214ae9fda81..3c6dd0f058f 100644 --- a/detection-rules/link_credential_phishing.yml +++ b/detection-rules/link_credential_phishing.yml @@ -11,14 +11,8 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml index c564026ff9a..fb3cd6a534c 100644 --- a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml +++ b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml @@ -299,14 +299,8 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/link_credential_phishing_secure_message.yml b/detection-rules/link_credential_phishing_secure_message.yml index 60f0fe56787..8eeda00299c 100644 --- a/detection-rules/link_credential_phishing_secure_message.yml +++ b/detection-rules/link_credential_phishing_secure_message.yml @@ -32,14 +32,8 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml b/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml index f8d7ac3732c..e3b12902721 100644 --- a/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml +++ b/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml @@ -46,14 +46,8 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml index a5eb16d114e..d72e2061455 100644 --- a/detection-rules/link_credential_phishing_voicemail_language.yml +++ b/detection-rules/link_credential_phishing_voicemail_language.yml @@ -53,14 +53,8 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/link_download_disk_image_in_encrypted_zip.yml b/detection-rules/link_download_disk_image_in_encrypted_zip.yml index 4d4019a331e..63a170b0886 100644 --- a/detection-rules/link_download_disk_image_in_encrypted_zip.yml +++ b/detection-rules/link_download_disk_image_in_encrypted_zip.yml @@ -26,14 +26,8 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Malfam: QakBot" diff --git a/detection-rules/link_download_suspicious_file.yml b/detection-rules/link_download_suspicious_file.yml index 969c0ef8cdb..fdaaff2cd57 100644 --- a/detection-rules/link_download_suspicious_file.yml +++ b/detection-rules/link_download_suspicious_file.yml @@ -35,14 +35,8 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Malware/Ransomware" diff --git a/detection-rules/link_fake_fax_low_reputation.yml b/detection-rules/link_fake_fax_low_reputation.yml index 0974ab392d0..2f28edc3645 100644 --- a/detection-rules/link_fake_fax_low_reputation.yml +++ b/detection-rules/link_fake_fax_low_reputation.yml @@ -46,14 +46,8 @@ source: | // first time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/link_google_apps_script_macro.yml b/detection-rules/link_google_apps_script_macro.yml index 646a0a9f669..08635d7b595 100644 --- a/detection-rules/link_google_apps_script_macro.yml +++ b/detection-rules/link_google_apps_script_macro.yml @@ -13,14 +13,8 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/link_google_translate.yml b/detection-rules/link_google_translate.yml index e77a82d2eb9..349bba7b1d7 100644 --- a/detection-rules/link_google_translate.yml +++ b/detection-rules/link_google_translate.yml @@ -12,14 +12,8 @@ source: | type.inbound and any(body.links, .href_url.domain.root_domain == "translate.goog") and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Attack surface reduction" diff --git a/detection-rules/link_html_smuggling_with_adobe_branding.yml b/detection-rules/link_html_smuggling_with_adobe_branding.yml index 28d17dd563f..f6fc12d7e18 100644 --- a/detection-rules/link_html_smuggling_with_adobe_branding.yml +++ b/detection-rules/link_html_smuggling_with_adobe_branding.yml @@ -27,14 +27,8 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Malfam: QakBot" diff --git a/detection-rules/link_html_smuggling_with_google_drive_branding.yml b/detection-rules/link_html_smuggling_with_google_drive_branding.yml index 0038b4ffdf7..20dfcafc559 100644 --- a/detection-rules/link_html_smuggling_with_google_drive_branding.yml +++ b/detection-rules/link_html_smuggling_with_google_drive_branding.yml @@ -32,14 +32,8 @@ source: | ) // Unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Malfam: QakBot" diff --git a/detection-rules/link_ipfs_phishing.yml b/detection-rules/link_ipfs_phishing.yml index bb6973c2c02..d09b4cbb240 100644 --- a/detection-rules/link_ipfs_phishing.yml +++ b/detection-rules/link_ipfs_phishing.yml @@ -33,14 +33,8 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/link_login_or_captcha.yml b/detection-rules/link_login_or_captcha.yml index 5e9aed2b023..74ccaaa1c5f 100644 --- a/detection-rules/link_login_or_captcha.yml +++ b/detection-rules/link_login_or_captcha.yml @@ -31,14 +31,8 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/link_microsoft_device_code_phish.yml b/detection-rules/link_microsoft_device_code_phish.yml index 6553b9b081d..550fc059c85 100644 --- a/detection-rules/link_microsoft_device_code_phish.yml +++ b/detection-rules/link_microsoft_device_code_phish.yml @@ -35,14 +35,8 @@ source: | // Unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/link_microsoft_impersonation_using_hosted_png.yml b/detection-rules/link_microsoft_impersonation_using_hosted_png.yml index 1469d86d458..50a74c471a1 100644 --- a/detection-rules/link_microsoft_impersonation_using_hosted_png.yml +++ b/detection-rules/link_microsoft_impersonation_using_hosted_png.yml @@ -35,14 +35,8 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/link_new_domain_in_link_first_time_sender.yml b/detection-rules/link_new_domain_in_link_first_time_sender.yml index ea1ed146a45..975f224082e 100644 --- a/detection-rules/link_new_domain_in_link_first_time_sender.yml +++ b/detection-rules/link_new_domain_in_link_first_time_sender.yml @@ -8,14 +8,8 @@ source: | and length(body.links) > 0 and any(body.links, beta.whois(.href_url.domain).days_old <= 10) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Attack surface reduction" diff --git a/detection-rules/link_notion_file_share.yml b/detection-rules/link_notion_file_share.yml index 8491cd00bac..ad251dfae4f 100644 --- a/detection-rules/link_notion_file_share.yml +++ b/detection-rules/link_notion_file_share.yml @@ -46,14 +46,8 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml index cdae99e81c3..5d600e5ed07 100644 --- a/detection-rules/link_qr_code_suspicious_language_fts.yml +++ b/detection-rules/link_qr_code_suspicious_language_fts.yml @@ -46,14 +46,8 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/link_suspicious_language_undisclosed_recipients.yml b/detection-rules/link_suspicious_language_undisclosed_recipients.yml index 7fcb7a130ba..375242816b3 100644 --- a/detection-rules/link_suspicious_language_undisclosed_recipients.yml +++ b/detection-rules/link_suspicious_language_undisclosed_recipients.yml @@ -39,14 +39,8 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/mass_campaign_recipient_address_new_sender.yml b/detection-rules/mass_campaign_recipient_address_new_sender.yml index 92faf055f48..21da6f575b5 100644 --- a/detection-rules/mass_campaign_recipient_address_new_sender.yml +++ b/detection-rules/mass_campaign_recipient_address_new_sender.yml @@ -18,14 +18,8 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) and ( any(recipients.to, diff --git a/detection-rules/open_redirect_avast.yml b/detection-rules/open_redirect_avast.yml index 5ff4fcde8b6..428066253fc 100644 --- a/detection-rules/open_redirect_avast.yml +++ b/detection-rules/open_redirect_avast.yml @@ -10,14 +10,8 @@ source: | ) and sender.email.domain.root_domain != "avast.com" and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/recipients_undisclosed_free_subdomain_host.yml b/detection-rules/recipients_undisclosed_free_subdomain_host.yml index 0554bc90112..e3d71bbe26e 100644 --- a/detection-rules/recipients_undisclosed_free_subdomain_host.yml +++ b/detection-rules/recipients_undisclosed_free_subdomain_host.yml @@ -22,14 +22,8 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tactics_and_techniques: - "Free subdomain host" diff --git a/detection-rules/sender_new_from_domain_first_time_sender.yml b/detection-rules/sender_new_from_domain_first_time_sender.yml index ba5fbdbf256..d887ce64acb 100644 --- a/detection-rules/sender_new_from_domain_first_time_sender.yml +++ b/detection-rules/sender_new_from_domain_first_time_sender.yml @@ -7,14 +7,8 @@ source: | type.inbound and beta.whois(sender.email.domain).days_old <= 10 and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Attack surface reduction" diff --git a/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml b/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml index 55e02712629..b2ee2968b32 100644 --- a/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml +++ b/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml @@ -12,14 +12,8 @@ source: | and any(body.links, regex.icontains(.display_text, '(\bPassword:)', 'Hi.{0,5}Welcome\b')) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Spam" diff --git a/detection-rules/spam_new_domain_emojis.yml b/detection-rules/spam_new_domain_emojis.yml index 8b01256663d..cd1af14fce2 100644 --- a/detection-rules/spam_new_domain_emojis.yml +++ b/detection-rules/spam_new_domain_emojis.yml @@ -24,14 +24,8 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Spam" diff --git a/detection-rules/spam_url_shortener_emojis.yml b/detection-rules/spam_url_shortener_emojis.yml index e793b36b770..29b0b0ddfa0 100644 --- a/detection-rules/spam_url_shortener_emojis.yml +++ b/detection-rules/spam_url_shortener_emojis.yml @@ -27,14 +27,8 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) attack_types: - "Spam" diff --git a/detection-rules/vip_impersonation_attack_surface_reduction.yml b/detection-rules/vip_impersonation_attack_surface_reduction.yml index 34f8fe317c9..2af7ac6ac23 100644 --- a/detection-rules/vip_impersonation_attack_surface_reduction.yml +++ b/detection-rules/vip_impersonation_attack_surface_reduction.yml @@ -23,26 +23,14 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) + not profile.by_sender().solicited + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) ) tags: - "Attack surface reduction"