From fca8797a7c4a64e5c57e2f4172ada215c0764e19 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Tue, 21 Nov 2023 10:26:34 -0800 Subject: [PATCH] Create impersonation_dotloop.yml (#999) Co-authored-by: ID Generator Co-authored-by: Sam Scholten Co-authored-by: Sam Scholten --- detection-rules/impersonation_dotloop.yml | 41 +++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 detection-rules/impersonation_dotloop.yml diff --git a/detection-rules/impersonation_dotloop.yml b/detection-rules/impersonation_dotloop.yml new file mode 100644 index 00000000000..7c0797e311d --- /dev/null +++ b/detection-rules/impersonation_dotloop.yml @@ -0,0 +1,41 @@ +name: "Brand impersonation: Dotloop" +description: "Impersonation of Dotloop, a real estate transaction management platform." +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + strings.ilike(sender.display_name, '*dotloop*') + or strings.ilike(sender.email.domain.domain, '*dotloop*') + ) + and sender.email.domain.root_domain not in~ ('dotloop.com', 'showingtime.com') + and ( + ( + profile.by_sender().prevalence in ("new", "outlier") + and not profile.by_sender().solicited + ) + or profile.by_sender().any_messages_malicious_or_spam + ) + and not profile.by_sender().any_false_positives + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" +id: "f997581a-ca08-5b21-8a52-ee0ca78fcea5"