-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
TEST - Update attachment_microsoft_image_lure_qr_code.yml by @morriscode #930 Source SHA ca434ed Triggered by @morriscode
- Loading branch information
Sublime Rule Testing Bot
committed
Nov 7, 2023
1 parent
a9105b5
commit fe24985
Showing
1 changed file
with
21 additions
and
0 deletions.
There are no files selected for viewing
21 changes: 21 additions & 0 deletions
21
detection-rules/attachment_microsoft_image_lure_qr_code.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| name: "Brand impersonation: Microsoft (QR code)" | ||
| description: | | ||
| Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads. | ||
| type: "rule" | ||
| severity: "high" | ||
| source: "type.inbound\nand (\n any(attachments,\n (.file_type in $file_types_images or .file_type == \"pdf\")\n and any(ml.logo_detect(.).brands, strings.starts_with(.name, \"Microsoft\"))\n )\n or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, \"Microsoft\"))\n or (any(attachments, .file_type in~ $file_extensions_macros))\n)\nand any(attachments,\n (\n .file_type in $file_types_images\n or .file_type == \"pdf\"\n or .file_type in $file_extensions_macros\n )\n and (\n any(file.explode(.),\n regex.icontains(.scan.ocr.raw, 'scan|camera')\n and regex.icontains(.scan.ocr.raw, '\\bQR\\b|Q\\.R\\.|barcode')\n )\n or (\n any(file.explode(.),\n .scan.qr.type == \"url\"\n // recipient email address is present in the URL, a common tactic used in credential phishing attacks \n and any(recipients.to,\n strings.icontains(..scan.qr.data, .email.email)\n \n // the recipients sld is in the senders display name\n or any(recipients.to,\n strings.icontains(sender.display_name, .email.domain.sld)\n )\n\n // the recipient local is in the body \n or any(recipients.to,\n strings.icontains(body.current_thread.text, .email.local_part)\n )\n\n // or the body is null \n or body.current_thread.text is null\n or body.current_thread.text == \"\"\n\n // or the subject contains authentication/urgency verbiage\n or regex.contains(subject.subject,\n \"(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)\"\n )\n )\n )\n )\n )\n)\nand (\n not any(headers.hops,\n .authentication_results.compauth.verdict is not null\n and .authentication_results.compauth.verdict == \"pass\"\n and sender.email.domain.domain == \"microsoft.com\"\n )\n)\n" | ||
| attack_types: | ||
| - "Credential Phishing" | ||
| tactics_and_techniques: | ||
| - "Impersonation: Brand" | ||
| - "PDF" | ||
| - "QR code" | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Computer Vision" | ||
| - "Header analysis" | ||
| - "QR code analysis" | ||
| - "Sender analysis" | ||
| id: "ed0f772a-6543-5947-80d1-55a11ea63074" | ||
| testing_pr: 930 | ||
| testing_sha: ca434edac91d84ae5067d4660eb8917f5f2ffa1f |