From 363dab9779b084ce9be3e03bf90969cc21111d35 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 20 Nov 2023 12:25:38 -0500 Subject: [PATCH 1/4] New Rule: Credential Phishing: Fake Password Expiration --- ...tial_phishing_fake_password_expiration.yml | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 credential_phishing_fake_password_expiration.yml diff --git a/credential_phishing_fake_password_expiration.yml b/credential_phishing_fake_password_expiration.yml new file mode 100644 index 00000000000..54fcf76b6f9 --- /dev/null +++ b/credential_phishing_fake_password_expiration.yml @@ -0,0 +1,68 @@ +name: "Credential Phishing: Fake Password Expiration from New and Unsolicited sender" +description: "This rule looks for password expiration verbiage in the subject and body. It requires between 1 and 9 links in the body. The rule uses NLU in addition to statically specified term anchors. High trust senders are also negated. " +type: "rule" +severity: "medium" +source: | + type.inbound + + // no attachments + and length(attachments) == 0 + + // body contains expire, expiration, loose, lose + and regex.icontains(body.current_thread.text, '(expir(e)?ation|lo(o)?se)') + + // subject or body contains account or access + and any([subject.subject, body.current_thread.text], + regex.icontains(body.current_thread.text, "account|access") + ) + + // subject or body must contains password + and any([subject.subject, body.current_thread.text], + regex.icontains(body.current_thread.text, '\bpassword\b') + ) + and any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "cred_theft" and .confidence == "high" + ) + + // sender is new and unsolicited and no previous malicious or spam flaggs + and ( + ( + profile.by_sender().prevalence in ("new", "outlier") + and not profile.by_sender().solicited + ) + or profile.by_sender().any_messages_malicious_or_spam + ) + + // no false positives + and not profile.by_sender().any_false_positives + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + + // body length between 600 and 2000 + and 600 < length(body.current_thread.text) < 2000 + + // not a reply + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Content analysis" + - "Natural Language Understanding" + - "Sender analysis" From 34a976130fb2d849382978ac483e664ebefe7dfd Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 20 Nov 2023 13:57:20 -0500 Subject: [PATCH 2/4] Update credential_phishing_fake_password_expiration.yml --- credential_phishing_fake_password_expiration.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/credential_phishing_fake_password_expiration.yml b/credential_phishing_fake_password_expiration.yml index 54fcf76b6f9..1ceca0e1724 100644 --- a/credential_phishing_fake_password_expiration.yml +++ b/credential_phishing_fake_password_expiration.yml @@ -1,5 +1,5 @@ name: "Credential Phishing: Fake Password Expiration from New and Unsolicited sender" -description: "This rule looks for password expiration verbiage in the subject and body. It requires between 1 and 9 links in the body. The rule uses NLU in addition to statically specified term anchors. High trust senders are also negated. " +description: "This rule looks for password expiration verbiage in the subject and body. It requires between 1 and 9 links in the body. The rule uses NLU in addition to statically specified term anchors. High trust senders are also negated." type: "rule" severity: "medium" source: | From d36c1092f36fc5007c75c9423785dd45c6eded64 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 21 Feb 2024 09:24:03 -0500 Subject: [PATCH 3/4] Update credential_phishing_fake_password_expiration.yml --- credential_phishing_fake_password_expiration.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/credential_phishing_fake_password_expiration.yml b/credential_phishing_fake_password_expiration.yml index 1ceca0e1724..79f36e2c546 100644 --- a/credential_phishing_fake_password_expiration.yml +++ b/credential_phishing_fake_password_expiration.yml @@ -57,7 +57,7 @@ source: | length(headers.references) == 0 or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) ) - + attack_types: - "Credential Phishing" tactics_and_techniques: From 55a1261f5d3dd2f41d2b491bb6c7d9125e8dc289 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 21 Feb 2024 09:27:08 -0500 Subject: [PATCH 4/4] Rename credential_phishing_fake_password_expiration.yml to detecdetection-rules/credential_phishing_fake_password_expiration.yml --- .../credential_phishing_fake_password_expiration.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename credential_phishing_fake_password_expiration.yml => detecdetection-rules/credential_phishing_fake_password_expiration.yml (100%) diff --git a/credential_phishing_fake_password_expiration.yml b/detecdetection-rules/credential_phishing_fake_password_expiration.yml similarity index 100% rename from credential_phishing_fake_password_expiration.yml rename to detecdetection-rules/credential_phishing_fake_password_expiration.yml