sublime-security · aidenmitchell · Dec 5, 2023 · Dec 5, 2023 · Dec 5, 2023 · Dec 5, 2023
@@ -19,7 +19,7 @@ source: |
                         regex.icontains(beta.linkanalysis(.).effective_url.path,
                                         '[\.-/]ipfs|ipfs[\.-/]'
                         )
-                        and beta.linkanalysis(.).effective_url.domain.domain not in $org_domains
+                        and beta.linkanalysis(.).effective_url.domain.domain not in~ $org_domains
                         and (
                           (
                             // don't include high rep domains

@@ -21,7 +21,7 @@ source: |
         and any(file.explode(.),
                 any(.scan.url.urls,
                     strings.iends_with(.path, ".exe")
-                    and .domain.root_domain not in $org_domains
+                    and .domain.root_domain not in~ $org_domains
                 )
         )
     )

@@ -20,7 +20,7 @@ source: |
           and any(file.explode(.),
                   any(.scan.url.urls,
                       strings.iends_with(.path, ".exe")
-                      and .domain.root_domain not in $org_domains
+                      and .domain.root_domain not in~ $org_domains
                   )
           )
   )

@@ -15,7 +15,7 @@ source: |
   and all(recipients.to, .email.email == sender.email.email)
 
   // not an org domain
-  and all(recipients.to, .email.domain.root_domain not in $org_domains)
+  and all(recipients.to, .email.domain.root_domain not in~ $org_domains)
 
   // one link
   and length(body.links) ==1

@@ -45,7 +45,7 @@ source: |
 
   // Bing redirect
   and any(body.links, .href_url.domain.root_domain == 'bing.com' and .href_url.path =~ '/ck/a')
-  and sender.email.domain.root_domain not in $org_domains
+  and sender.email.domain.root_domain not in~ $org_domains
   and sender.email.domain.root_domain not in (
     "bing.com",
     "microsoft.com",

@@ -57,7 +57,7 @@ source: |
     'synchronybank.com',
   )
   and sender.email.email not in $recipient_emails
-  and sender.email.domain.domain not in $org_domains
+  and sender.email.domain.domain not in~ $org_domains
 
   // negate highly trusted sender domains unless they fail DMARC authentication
   and

@@ -10,7 +10,7 @@ source: |
   and length(attachments) == 0
   and length(body.current_thread.text) < 300
   and (
-    sender.email.domain.root_domain not in $org_domains
+    sender.email.domain.root_domain not in~ $org_domains
     or sender.email.domain.root_domain in $free_email_providers
   )
   and 1 of (

@@ -4,7 +4,7 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  and sender.email.domain.domain not in $org_domains
+  and sender.email.domain.domain not in~ $org_domains
   and regex.icontains(sender.display_name,
                       '(\bh\W?r\W?\b|human resources|hr depart(ment)?|employee relations)'
   )

@@ -51,7 +51,7 @@ source: |
   // this is fine because we should catch spoofs in other ways.
   // also, we use root_domain here to account for subdomains used by internal tools that aren't connected to the tenant.
   // this should also be safe because domains like onmicrosoft[.]com are tracked as FQDNs in $org_domains, so they won't match
-  and sender.email.domain.root_domain not in $org_domains
+  and sender.email.domain.root_domain not in~ $org_domains
 
   // negate highly trusted sender domains unless they fail DMARC authentication
   and (

@@ -16,7 +16,7 @@ source: |
   and not all(body.links,
               .href_url.domain.root_domain in ("microsoft.com", "sharepoint.com")
   )
-  and sender.email.domain.root_domain not in $org_domains
+  and sender.email.domain.root_domain not in~ $org_domains
   and sender.email.domain.root_domain not in (
     "bing.com",
     "microsoft.com",

@@ -16,7 +16,7 @@ source: |
             regex.icontains(beta.linkanalysis(.).effective_url.path,
                             '[\.-/]ipfs|ipfs[\.-/]'
             )
-            and beta.linkanalysis(.).effective_url.domain.domain not in $org_domains
+            and beta.linkanalysis(.).effective_url.domain.domain not in~ $org_domains
             and (
               (
                 // don't include high rep domains

@@ -25,7 +25,7 @@ source: |
         // sender domain matches no body domains
         all(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
-            and .href_url.domain.root_domain not in $org_domains
+            and .href_url.domain.root_domain not in~ $org_domains
             and .href_url.domain.root_domain not in (
               "unitelvoice.com",
               "googleapis.com",

@@ -8,7 +8,7 @@ severity: "medium"
 source: |
   type.inbound
   and 0 < length(body.links) < 5
-  and sender.email.domain.root_domain not in $org_domains
+  and sender.email.domain.root_domain not in~ $org_domains
   and any(body.links,
           (
             .href_url.domain.domain not in $tranco_1m

@@ -33,7 +33,7 @@ source: |
             or .href_url.domain.root_domain is null
     )
   )
-  and sender.email.domain.root_domain not in $org_domains
+  and sender.email.domain.root_domain not in~ $org_domains
   and sender.email.domain.root_domain != "google.com"
 attack_types:
   - "Credential Phishing"

@@ -11,7 +11,7 @@ source: |
     (length(attachments) > 0 and all(attachments, .file_type in $file_types_images))
     or length(attachments) == 0
   )
-  and sender.email.domain.root_domain not in $org_domains
+  and sender.email.domain.root_domain not in~ $org_domains
 
   // not a reply
   and (

@@ -14,7 +14,7 @@ source: |
           // Or the path contains ipfs anchored to a leading and trailing '-', '/', '.'
           or (
             regex.icontains(.href_url.query_params, '[\.-/]ipfs[\.-/]')
-            and .href_url.domain.domain not in $org_domains
+            and .href_url.domain.domain not in~ $org_domains
             and (
               (
                 // don't include high rep domains

@@ -41,7 +41,7 @@ source: |
            )
            or any(body.links, .href_url.domain.domain in $free_file_hosts)
          )
-         and .href_url.domain.root_domain not in $org_domains
+         and .href_url.domain.root_domain not in~ $org_domains
  )
 
  // not a reply

@@ -19,7 +19,7 @@ source: |
                   and any(recipients.to,
                           strings.icontains(..scan.qr.data, .email.email) and .email.domain.valid
                   )
-                  and .scan.qr.url.domain.root_domain not in $org_domains
+                  and .scan.qr.url.domain.root_domain not in~ $org_domains
           )
   )
 

@@ -62,7 +62,7 @@ source: |
             )
             or any(body.links, .href_url.domain.domain in $free_file_hosts)
           )
-          and .href_url.domain.root_domain not in $org_domains
+          and .href_url.domain.root_domain not in~ $org_domains
   )
   and sender.email.domain.root_domain not in~ (
     'intuit.com',

@@ -10,7 +10,7 @@ source: |
   and (
     length(recipients.to) > 10
     and length(filter(recipients.to,
-                      .email.domain.domain not in $org_domains
+                      .email.domain.domain not in~ $org_domains
                       and .email.email not in $recipient_emails
                )
     ) >= 10

@@ -11,7 +11,7 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  and sender.email.domain.domain in $org_domains
+  and sender.email.domain.domain in~ $org_domains
 
   // doesn't match an org display name (generic)
   // we could make this more generic later
@@ -30,7 +30,7 @@ source: |
     (
       // low reputation / suspicious link
       any(body.links,
-          .href_url.domain.root_domain not in $org_domains
+          .href_url.domain.root_domain not in~ $org_domains
           and (
             .href_url.domain.root_domain not in $tranco_1m
             or .href_url.domain.domain in $free_file_hosts
@@ -51,7 +51,7 @@ source: |
       // suspicious domain in headers
       any(headers.domains,
           // it's not an org domain
-          .root_domain not in $org_domains
+          .root_domain not in~ $org_domains
 
           // low reputation
           and .root_domain not in $alexa_1m

@@ -30,7 +30,7 @@ source: |
       any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
       and strings.contains(sender.display_name, "via")
   )
-  and sender.email.domain.root_domain not in $org_domains
+  and sender.email.domain.root_domain not in~ $org_domains
   and sender.email.domain.root_domain not in  ("medallia.com", "icims.com", "workday.com")
   and (
     profile.by_sender().prevalence in ("new", "outlier")

@@ -2,7 +2,7 @@ name: "Low reputation links"
 type: "query"
 source: |
     distinct(map(filter(body.links, 
-        .href_url.domain.root_domain not in $tranco_1m and .href_url.domain.valid !=false and .href_url.domain.root_domain not in $org_domains), 
+        .href_url.domain.root_domain not in $tranco_1m and .href_url.domain.valid !=false and .href_url.domain.root_domain not in~ $org_domains), 
     .href_url.url), .)
 severity: "low"
 tags:

@@ -4,5 +4,5 @@ source: |
     length(body.links) > 0
     and all(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
-            and .href_url.domain.root_domain not in $org_domains
+            and .href_url.domain.root_domain not in~ $org_domains
     )
@@ -8,7 +8,7 @@ source: |
         // Or the path contains ipfs anchored to a leading and trailing '-', '/', '.'
         or (
           regex.icontains(.href_url.query_params, '[\.-/]ipfs[\.-/]')
-          and .href_url.domain.domain not in $org_domains
+          and .href_url.domain.domain not in~ $org_domains
           and (
             (
               // don't include high rep domains