From 0323b126dac75749737f95c1b93f2190c4a753ec Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Wed, 6 Dec 2023 10:18:08 -0800 Subject: [PATCH 1/2] New rule: invoicera_infra_abuse.yml --- detection-rules/invoicera_infra_abuse.yml | 43 +++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 detection-rules/invoicera_infra_abuse.yml diff --git a/detection-rules/invoicera_infra_abuse.yml b/detection-rules/invoicera_infra_abuse.yml new file mode 100644 index 00000000000..d0b6df3a18d --- /dev/null +++ b/detection-rules/invoicera_infra_abuse.yml @@ -0,0 +1,43 @@ +name: "Invoicera infrastructure abuse" +description: "This rule is tailored to flag infrastructural abuse involving Invoicera, a SaaS-based invoicing and billing platform, which has been identified as a tool in widespread spam and credential phishing campaigns." +type: "rule" +severity: "medium" +source: | + type.inbound + and sender.email.domain.root_domain == "invoicera.com" + // suspicious recipient pattern + and ( + length(recipients.to) == 0 + or any(recipients.to, .email.domain.valid == false) + or length(recipients.bcc) > 0 + ) + // suspicious link + and ( + any(body.links, + .href_url.domain.root_domain in $free_file_hosts + or .href_url.domain.domain in $free_file_hosts + ) + or any(body.links, + .href_url.domain.root_domain in $free_subdomain_hosts + and .href_url.domain.subdomain is not null + and .href_url.domain.subdomain != "www" + ) + ) + // mismatched reply-to + and ( + headers.return_path.email is not null + and headers.return_path.email != sender.email.email + ) + +attack_types: + - "Credential Phishing" + - "Spam" +tactics_and_techniques: + - "Free file host" + - "Free subdomain host" + - "Image as content" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" From ac8002e3e69e085313cba8015e2de4b04048f4ec Mon Sep 17 00:00:00 2001 From: ID Generator Date: Wed, 6 Dec 2023 18:21:28 +0000 Subject: [PATCH 2/2] Auto add rule ID --- detection-rules/invoicera_infra_abuse.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/invoicera_infra_abuse.yml b/detection-rules/invoicera_infra_abuse.yml index d0b6df3a18d..d81e0f671d3 100644 --- a/detection-rules/invoicera_infra_abuse.yml +++ b/detection-rules/invoicera_infra_abuse.yml @@ -41,3 +41,4 @@ detection_methods: - "Content analysis" - "Header analysis" - "Sender analysis" +id: "1e56f310-750b-5c26-84eb-63e78f20a6bd"