diff --git a/detection-rules/attachment_eml_file_with_ipfs_links.yml b/detection-rules/attachment_eml_file_with_ipfs_links.yml index 5ce72088123..4d7b5c24f8f 100644 --- a/detection-rules/attachment_eml_file_with_ipfs_links.yml +++ b/detection-rules/attachment_eml_file_with_ipfs_links.yml @@ -19,7 +19,7 @@ source: | regex.icontains(beta.linkanalysis(.).effective_url.path, '[\.-/]ipfs|ipfs[\.-/]' ) - and beta.linkanalysis(.).effective_url.domain.domain not in $org_domains + and beta.linkanalysis(.).effective_url.domain.domain not in~ $org_domains and ( ( // don't include high rep domains diff --git a/detection-rules/attachment_fake_slack_installer.yml b/detection-rules/attachment_fake_slack_installer.yml index d7777a70020..ab48ffe726f 100644 --- a/detection-rules/attachment_fake_slack_installer.yml +++ b/detection-rules/attachment_fake_slack_installer.yml @@ -21,7 +21,7 @@ source: | and any(file.explode(.), any(.scan.url.urls, strings.iends_with(.path, ".exe") - and .domain.root_domain not in $org_domains + and .domain.root_domain not in~ $org_domains ) ) ) diff --git a/detection-rules/attachment_fake_zoom_installer.yml b/detection-rules/attachment_fake_zoom_installer.yml index 3eeb674f8c7..2a10feb79b4 100644 --- a/detection-rules/attachment_fake_zoom_installer.yml +++ b/detection-rules/attachment_fake_zoom_installer.yml @@ -20,7 +20,7 @@ source: | and any(file.explode(.), any(.scan.url.urls, strings.iends_with(.path, ".exe") - and .domain.root_domain not in $org_domains + and .domain.root_domain not in~ $org_domains ) ) ) diff --git a/detection-rules/bec_fraud_scam_lure_out_of_band_pivot.yml b/detection-rules/bec_fraud_scam_lure_out_of_band_pivot.yml index 9fbee820cbf..96b77a22d3f 100644 --- a/detection-rules/bec_fraud_scam_lure_out_of_band_pivot.yml +++ b/detection-rules/bec_fraud_scam_lure_out_of_band_pivot.yml @@ -15,7 +15,7 @@ source: | and all(recipients.to, .email.email == sender.email.email) // not an org domain - and all(recipients.to, .email.domain.root_domain not in $org_domains) + and all(recipients.to, .email.domain.root_domain not in~ $org_domains) // one link and length(body.links) ==1 diff --git a/detection-rules/body_microsoft_logo_bing_redirect.yml b/detection-rules/body_microsoft_logo_bing_redirect.yml index 0e1617419ce..90cefb31687 100644 --- a/detection-rules/body_microsoft_logo_bing_redirect.yml +++ b/detection-rules/body_microsoft_logo_bing_redirect.yml @@ -45,7 +45,7 @@ source: | // Bing redirect and any(body.links, .href_url.domain.root_domain == 'bing.com' and .href_url.path =~ '/ck/a') - and sender.email.domain.root_domain not in $org_domains + and sender.email.domain.root_domain not in~ $org_domains and sender.email.domain.root_domain not in ( "bing.com", "microsoft.com", diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index fefefa60530..13cb3cdff45 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -57,7 +57,7 @@ source: | 'synchronybank.com', ) and sender.email.email not in $recipient_emails - and sender.email.domain.domain not in $org_domains + and sender.email.domain.domain not in~ $org_domains // negate highly trusted sender domains unless they fail DMARC authentication and diff --git a/detection-rules/impersonation_employee_payroll_fraud.yml b/detection-rules/impersonation_employee_payroll_fraud.yml index 5fdabd5913c..28ce13de79c 100644 --- a/detection-rules/impersonation_employee_payroll_fraud.yml +++ b/detection-rules/impersonation_employee_payroll_fraud.yml @@ -10,7 +10,7 @@ source: | and length(attachments) == 0 and length(body.current_thread.text) < 300 and ( - sender.email.domain.root_domain not in $org_domains + sender.email.domain.root_domain not in~ $org_domains or sender.email.domain.root_domain in $free_email_providers ) and 1 of ( diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml index 316da757473..06fc44b40ba 100644 --- a/detection-rules/impersonation_human_resources.yml +++ b/detection-rules/impersonation_human_resources.yml @@ -4,7 +4,7 @@ type: "rule" severity: "medium" source: | type.inbound - and sender.email.domain.domain not in $org_domains + and sender.email.domain.domain not in~ $org_domains and regex.icontains(sender.display_name, '(\bh\W?r\W?\b|human resources|hr depart(ment)?|employee relations)' ) diff --git a/detection-rules/impersonation_recipient_domain_display_name_subject.yml b/detection-rules/impersonation_recipient_domain_display_name_subject.yml index f79278d8a49..eaa2a281701 100644 --- a/detection-rules/impersonation_recipient_domain_display_name_subject.yml +++ b/detection-rules/impersonation_recipient_domain_display_name_subject.yml @@ -51,7 +51,7 @@ source: | // this is fine because we should catch spoofs in other ways. // also, we use root_domain here to account for subdomains used by internal tools that aren't connected to the tenant. // this should also be safe because domains like onmicrosoft[.]com are tracked as FQDNs in $org_domains, so they won't match - and sender.email.domain.root_domain not in $org_domains + and sender.email.domain.root_domain not in~ $org_domains // negate highly trusted sender domains unless they fail DMARC authentication and ( diff --git a/detection-rules/impersonation_sharepoint_fake_file_share.yml b/detection-rules/impersonation_sharepoint_fake_file_share.yml index 21c9bf465f9..3e9d31c86ef 100644 --- a/detection-rules/impersonation_sharepoint_fake_file_share.yml +++ b/detection-rules/impersonation_sharepoint_fake_file_share.yml @@ -16,7 +16,7 @@ source: | and not all(body.links, .href_url.domain.root_domain in ("microsoft.com", "sharepoint.com") ) - and sender.email.domain.root_domain not in $org_domains + and sender.email.domain.root_domain not in~ $org_domains and sender.email.domain.root_domain not in ( "bing.com", "microsoft.com", diff --git a/detection-rules/link_credential_phishing_language_ipfs.yml b/detection-rules/link_credential_phishing_language_ipfs.yml index b5a11b0e9c8..6fee9f62880 100644 --- a/detection-rules/link_credential_phishing_language_ipfs.yml +++ b/detection-rules/link_credential_phishing_language_ipfs.yml @@ -16,7 +16,7 @@ source: | regex.icontains(beta.linkanalysis(.).effective_url.path, '[\.-/]ipfs|ipfs[\.-/]' ) - and beta.linkanalysis(.).effective_url.domain.domain not in $org_domains + and beta.linkanalysis(.).effective_url.domain.domain not in~ $org_domains and ( ( // don't include high rep domains diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml index e1044e01e7f..9ed5b838aac 100644 --- a/detection-rules/link_credential_phishing_voicemail_language.yml +++ b/detection-rules/link_credential_phishing_voicemail_language.yml @@ -25,7 +25,7 @@ source: | // sender domain matches no body domains all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain - and .href_url.domain.root_domain not in $org_domains + and .href_url.domain.root_domain not in~ $org_domains and .href_url.domain.root_domain not in ( "unitelvoice.com", "googleapis.com", diff --git a/detection-rules/link_fake_fax_low_reputation.yml b/detection-rules/link_fake_fax_low_reputation.yml index 035ab88652b..52fc48a52b1 100644 --- a/detection-rules/link_fake_fax_low_reputation.yml +++ b/detection-rules/link_fake_fax_low_reputation.yml @@ -8,7 +8,7 @@ severity: "medium" source: | type.inbound and 0 < length(body.links) < 5 - and sender.email.domain.root_domain not in $org_domains + and sender.email.domain.root_domain not in~ $org_domains and any(body.links, ( .href_url.domain.domain not in $tranco_1m diff --git a/detection-rules/link_google_fake_sign_in_image_lure.yml b/detection-rules/link_google_fake_sign_in_image_lure.yml index 8f0d8bd3aa6..2cd6e8d169d 100644 --- a/detection-rules/link_google_fake_sign_in_image_lure.yml +++ b/detection-rules/link_google_fake_sign_in_image_lure.yml @@ -33,7 +33,7 @@ source: | or .href_url.domain.root_domain is null ) ) - and sender.email.domain.root_domain not in $org_domains + and sender.email.domain.root_domain not in~ $org_domains and sender.email.domain.root_domain != "google.com" attack_types: - "Credential Phishing" diff --git a/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml b/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml index a96f0c4381d..ad76f153f84 100644 --- a/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml +++ b/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml @@ -11,7 +11,7 @@ source: | (length(attachments) > 0 and all(attachments, .file_type in $file_types_images)) or length(attachments) == 0 ) - and sender.email.domain.root_domain not in $org_domains + and sender.email.domain.root_domain not in~ $org_domains // not a reply and ( diff --git a/detection-rules/link_ipfs_phishing.yml b/detection-rules/link_ipfs_phishing.yml index bfcc46f05ca..7b059a04862 100644 --- a/detection-rules/link_ipfs_phishing.yml +++ b/detection-rules/link_ipfs_phishing.yml @@ -14,7 +14,7 @@ source: | // Or the path contains ipfs anchored to a leading and trailing '-', '/', '.' or ( regex.icontains(.href_url.query_params, '[\.-/]ipfs[\.-/]') - and .href_url.domain.domain not in $org_domains + and .href_url.domain.domain not in~ $org_domains and ( ( // don't include high rep domains diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml index 32f0bb07a26..3b319050605 100644 --- a/detection-rules/link_microsoft_low_reputation.yml +++ b/detection-rules/link_microsoft_low_reputation.yml @@ -41,7 +41,7 @@ source: | ) or any(body.links, .href_url.domain.domain in $free_file_hosts) ) - and .href_url.domain.root_domain not in $org_domains + and .href_url.domain.root_domain not in~ $org_domains ) // not a reply diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml index ddbf41c778f..7b3cb9c0e8b 100644 --- a/detection-rules/link_qr_code_suspicious_language_fts.yml +++ b/detection-rules/link_qr_code_suspicious_language_fts.yml @@ -19,7 +19,7 @@ source: | and any(recipients.to, strings.icontains(..scan.qr.data, .email.email) and .email.domain.valid ) - and .scan.qr.url.domain.root_domain not in $org_domains + and .scan.qr.url.domain.root_domain not in~ $org_domains ) ) diff --git a/detection-rules/link_quickbooks_image_lure_suspicious_link.yml b/detection-rules/link_quickbooks_image_lure_suspicious_link.yml index 4da4218bd0a..b66dc1ba3a7 100644 --- a/detection-rules/link_quickbooks_image_lure_suspicious_link.yml +++ b/detection-rules/link_quickbooks_image_lure_suspicious_link.yml @@ -62,7 +62,7 @@ source: | ) or any(body.links, .href_url.domain.domain in $free_file_hosts) ) - and .href_url.domain.root_domain not in $org_domains + and .href_url.domain.root_domain not in~ $org_domains ) and sender.email.domain.root_domain not in~ ( 'intuit.com', diff --git a/detection-rules/recon_large_recipients_unknown.yml b/detection-rules/recon_large_recipients_unknown.yml index 0a7537032fb..e2d66fa0914 100644 --- a/detection-rules/recon_large_recipients_unknown.yml +++ b/detection-rules/recon_large_recipients_unknown.yml @@ -10,7 +10,7 @@ source: | and ( length(recipients.to) > 10 and length(filter(recipients.to, - .email.domain.domain not in $org_domains + .email.domain.domain not in~ $org_domains and .email.email not in $recipient_emails ) ) >= 10 diff --git a/detection-rules/spoofable_internal_domain_suspicious_signals.yml b/detection-rules/spoofable_internal_domain_suspicious_signals.yml index 290b7c66cf9..4564fe9cfa8 100644 --- a/detection-rules/spoofable_internal_domain_suspicious_signals.yml +++ b/detection-rules/spoofable_internal_domain_suspicious_signals.yml @@ -11,7 +11,7 @@ type: "rule" severity: "medium" source: | type.inbound - and sender.email.domain.domain in $org_domains + and sender.email.domain.domain in~ $org_domains // doesn't match an org display name (generic) // we could make this more generic later @@ -30,7 +30,7 @@ source: | ( // low reputation / suspicious link any(body.links, - .href_url.domain.root_domain not in $org_domains + .href_url.domain.root_domain not in~ $org_domains and ( .href_url.domain.root_domain not in $tranco_1m or .href_url.domain.domain in $free_file_hosts @@ -51,7 +51,7 @@ source: | // suspicious domain in headers any(headers.domains, // it's not an org domain - .root_domain not in $org_domains + .root_domain not in~ $org_domains // low reputation and .root_domain not in $alexa_1m diff --git a/discovery-rules/impersonation_recipient_sld_in_sender_local_fts.yml b/discovery-rules/impersonation_recipient_sld_in_sender_local_fts.yml index b74e05bc24d..720e7c3e946 100644 --- a/discovery-rules/impersonation_recipient_sld_in_sender_local_fts.yml +++ b/discovery-rules/impersonation_recipient_sld_in_sender_local_fts.yml @@ -30,7 +30,7 @@ source: | any(headers.hops, any(.fields, .name == "List-Unsubscribe")) and strings.contains(sender.display_name, "via") ) - and sender.email.domain.root_domain not in $org_domains + and sender.email.domain.root_domain not in~ $org_domains and sender.email.domain.root_domain not in ("medallia.com", "icims.com", "workday.com") and ( profile.by_sender().prevalence in ("new", "outlier") diff --git a/insights/links/low_reputation.yml b/insights/links/low_reputation.yml index 4a4693460fd..ba94798ebb4 100644 --- a/insights/links/low_reputation.yml +++ b/insights/links/low_reputation.yml @@ -2,7 +2,7 @@ name: "Low reputation links" type: "query" source: | distinct(map(filter(body.links, - .href_url.domain.root_domain not in $tranco_1m and .href_url.domain.valid !=false and .href_url.domain.root_domain not in $org_domains), + .href_url.domain.root_domain not in $tranco_1m and .href_url.domain.valid !=false and .href_url.domain.root_domain not in~ $org_domains), .href_url.url), .) severity: "low" tags: diff --git a/signals/links/link_domains_do_not_match_sender_domain.yml b/signals/links/link_domains_do_not_match_sender_domain.yml index 85d2dac7395..3ffe96145c1 100644 --- a/signals/links/link_domains_do_not_match_sender_domain.yml +++ b/signals/links/link_domains_do_not_match_sender_domain.yml @@ -4,5 +4,5 @@ source: | length(body.links) > 0 and all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain - and .href_url.domain.root_domain not in $org_domains + and .href_url.domain.root_domain not in~ $org_domains ) diff --git a/signals/links/link_ipfs.yml b/signals/links/link_ipfs.yml index 7c72380158d..e7fff9b9fce 100644 --- a/signals/links/link_ipfs.yml +++ b/signals/links/link_ipfs.yml @@ -8,7 +8,7 @@ source: | // Or the path contains ipfs anchored to a leading and trailing '-', '/', '.' or ( regex.icontains(.href_url.query_params, '[\.-/]ipfs[\.-/]') - and .href_url.domain.domain not in $org_domains + and .href_url.domain.domain not in~ $org_domains and ( ( // don't include high rep domains