From 47db1ea0bb500dae6eb7047e51f31753edfaf7f3 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Tue, 12 Dec 2023 16:36:07 -0800 Subject: [PATCH 1/5] Fixing redundant block --- detection-rules/attachment_fake_attachment_image.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/detection-rules/attachment_fake_attachment_image.yml b/detection-rules/attachment_fake_attachment_image.yml index 7238118bc45..c280b86c390 100644 --- a/detection-rules/attachment_fake_attachment_image.yml +++ b/detection-rules/attachment_fake_attachment_image.yml @@ -15,10 +15,7 @@ source: | .name in~ ("financial", "urgency") ) ) - and any(attachments, - .file_type in $file_types_images - and any(ml.logo_detect(.).brands, .name == "FakeAttachment") - ) + and any(ml.logo_detect(.).brands, .name == "FakeAttachment") ) // fake file attachment preview in attached EML or any(attachments, From f3e3c36c21bfd79192483d7b2ac89b05c2f34a91 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Tue, 12 Dec 2023 17:18:01 -0800 Subject: [PATCH 2/5] Adding high trust and sender profiles --- .../attachment_fake_attachment_image.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/detection-rules/attachment_fake_attachment_image.yml b/detection-rules/attachment_fake_attachment_image.yml index c280b86c390..6e3b3e3e7f1 100644 --- a/detection-rules/attachment_fake_attachment_image.yml +++ b/detection-rules/attachment_fake_attachment_image.yml @@ -32,6 +32,23 @@ source: | ) ) + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + + and ( + not profile.by_sender().solicited + or profile.by_sender().any_messages_malicious_or_spam + ) tags: - "Suspicious attachment" - "Suspicious content" From 57589147110f7ffec9eb4bfe94c1b2e1f21bd558 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Tue, 12 Dec 2023 17:30:00 -0800 Subject: [PATCH 3/5] Update attachment_fake_attachment_image.yml --- .../attachment_fake_attachment_image.yml | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/detection-rules/attachment_fake_attachment_image.yml b/detection-rules/attachment_fake_attachment_image.yml index 6e3b3e3e7f1..ee3856ae8a4 100644 --- a/detection-rules/attachment_fake_attachment_image.yml +++ b/detection-rules/attachment_fake_attachment_image.yml @@ -10,11 +10,6 @@ source: | any(attachments, .file_type in $file_types_images and .size < 5000 - and any(file.explode(.), - any(ml.nlu_classifier(.scan.ocr.raw).entities, - .name in~ ("financial", "urgency") - ) - ) and any(ml.logo_detect(.).brands, .name == "FakeAttachment") ) // fake file attachment preview in attached EML @@ -23,15 +18,11 @@ source: | and any(file.parse_eml(.).attachments, .file_type in $file_types_images and .size < 5000 - and any(file.explode(.), - any(ml.nlu_classifier(.scan.ocr.raw).entities, - .name in~ ("financial", "urgency") - ) - ) + and any(ml.logo_detect(.).brands, .name == "FakeAttachment") ) ) ) - + // negate highly trusted sender domains unless they fail DMARC authentication and ( ( @@ -44,7 +35,6 @@ source: | ) or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) - and ( not profile.by_sender().solicited or profile.by_sender().any_messages_malicious_or_spam From f1bc106a7b43af78f268dedbc450983e4a2cfb6a Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Tue, 12 Dec 2023 17:32:26 -0800 Subject: [PATCH 4/5] Update attachment_fake_attachment_image.yml --- detection-rules/attachment_fake_attachment_image.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/detection-rules/attachment_fake_attachment_image.yml b/detection-rules/attachment_fake_attachment_image.yml index ee3856ae8a4..e39c1dabdc0 100644 --- a/detection-rules/attachment_fake_attachment_image.yml +++ b/detection-rules/attachment_fake_attachment_image.yml @@ -9,15 +9,13 @@ source: | // fake file attachment preview in original email any(attachments, .file_type in $file_types_images - and .size < 5000 and any(ml.logo_detect(.).brands, .name == "FakeAttachment") ) // fake file attachment preview in attached EML or any(attachments, - .content_type == "message/rfc822" + (.content_type == "message/rfc822" or .file_extension == "eml") and any(file.parse_eml(.).attachments, .file_type in $file_types_images - and .size < 5000 and any(ml.logo_detect(.).brands, .name == "FakeAttachment") ) ) From 3cd5c0f8673098c5355cf243733347f6b65542ab Mon Sep 17 00:00:00 2001 From: Josh Kamdjou Date: Wed, 13 Dec 2023 04:03:43 +0200 Subject: [PATCH 5/5] Update attachment_fake_attachment_image.yml update description --- detection-rules/attachment_fake_attachment_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/attachment_fake_attachment_image.yml b/detection-rules/attachment_fake_attachment_image.yml index e39c1dabdc0..5b082e8b256 100644 --- a/detection-rules/attachment_fake_attachment_image.yml +++ b/detection-rules/attachment_fake_attachment_image.yml @@ -1,6 +1,6 @@ name: "Attachment: Fake attachment image lure" description: | - Message body (or attached message body) contains a image faking an Outlook attachment button. The image contains OCR entities that are suspicious. + Message (or attached message) contains an image impersonating an Outlook attachment button. type: "rule" severity: "medium" source: |