From bebc89d3ccf2ad004668c867496954912c7dae79 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 2 Jan 2024 10:03:48 -0500 Subject: [PATCH 1/9] New Rule: Employee Impersonation via Google Groups --- impersonation_employee_via_google_groups.yml | 76 ++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 impersonation_employee_via_google_groups.yml diff --git a/impersonation_employee_via_google_groups.yml b/impersonation_employee_via_google_groups.yml new file mode 100644 index 00000000000..7cecb73cecb --- /dev/null +++ b/impersonation_employee_via_google_groups.yml @@ -0,0 +1,76 @@ +name: "Employee Impersonation via Google Groups with suspicious indicators" +description: "Public Google Groups can be used to impersonate internal senders, while the reply to address is not under organizational control, leading to fraud, credential phishing, or other unwanted outcomes. +" +type: "rule" +severity: "" +source: | + (type.inbound or type.internal) + and sender.email.domain.root_domain in $org_domains + + // subject or reply to is leveraging an org display name + and ( + any(headers.reply_to, .display_name in $org_display_names) + or any($org_display_names, strings.contains(., subject.subject)) + ) + and any(headers.hops, + any(.fields, + regex.icontains(.name, + "X-Authenticated-Sender|X-Sender|X-Original-Sender" + ) + ) + ) + + // reply to return path mismatch and not org domain + and any(headers.reply_to, + .email.domain.root_domain != headers.return_path.domain.root_domain + and .email.domain.root_domain not in $org_domains + ) + + // googlegroups found in hops + and any(headers.hops, + .index == 0 and any(.fields, strings.icontains(.value, "googlegroups")) + ) + + // financial nlu entity in current thread + and 3 of ( + any(ml.nlu_classifier(body.current_thread.text).entities, + .name == "financial" + ), + + // invoice entity in display_text + any(ml.nlu_classifier(body.html.display_text).tags, .name == "invoice"), + + // fake thread + ( + (length(headers.references) == 0 and headers.in_reply_to is null) + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ), + + // reply-to is freemail + any(headers.reply_to, .email.domain.domain in $free_email_providers), + + // reply-to is not in $recipient_emails + any(headers.reply_to, .email.email not in $recipient_emails), + + // dmarc authentication is freemail provider + any(distinct(headers.hops, .authentication_results.dmarc is not null), + .authentication_results.dmarc_details.from.domain in $free_email_providers + ) + ) + +attack_types: + - "BEC/Fraud" + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Free email provider" + - "Impersonation: Employee" + - "Social engineering" + - "Spoofing" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Sender analysis" + From da2aa9b4c831d55625ffafbb10ba21473869b7df Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 2 Jan 2024 10:08:49 -0500 Subject: [PATCH 2/9] Update impersonation_employee_via_google_groups.yml --- impersonation_employee_via_google_groups.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/impersonation_employee_via_google_groups.yml b/impersonation_employee_via_google_groups.yml index 7cecb73cecb..52bf59d49fe 100644 --- a/impersonation_employee_via_google_groups.yml +++ b/impersonation_employee_via_google_groups.yml @@ -2,7 +2,7 @@ name: "Employee Impersonation via Google Groups with suspicious indicators" description: "Public Google Groups can be used to impersonate internal senders, while the reply to address is not under organizational control, leading to fraud, credential phishing, or other unwanted outcomes. " type: "rule" -severity: "" +severity: "high" source: | (type.inbound or type.internal) and sender.email.domain.root_domain in $org_domains From 4c27f1bd7cd22d2dfa8b2ade04f4bc8e53ea7bf5 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 2 Jan 2024 10:13:37 -0500 Subject: [PATCH 3/9] Rename impersonation_employee_via_google_groups.yml to detection-rules/impersonation_employee_via_google_groups.yml --- .../impersonation_employee_via_google_groups.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename impersonation_employee_via_google_groups.yml => detection-rules/impersonation_employee_via_google_groups.yml (100%) diff --git a/impersonation_employee_via_google_groups.yml b/detection-rules/impersonation_employee_via_google_groups.yml similarity index 100% rename from impersonation_employee_via_google_groups.yml rename to detection-rules/impersonation_employee_via_google_groups.yml From 22a134032431d72b67104a2c01f052d529a17695 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Tue, 2 Jan 2024 15:15:16 +0000 Subject: [PATCH 4/9] Auto add rule ID --- detection-rules/impersonation_employee_via_google_groups.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/impersonation_employee_via_google_groups.yml b/detection-rules/impersonation_employee_via_google_groups.yml index 52bf59d49fe..8ac9e103880 100644 --- a/detection-rules/impersonation_employee_via_google_groups.yml +++ b/detection-rules/impersonation_employee_via_google_groups.yml @@ -74,3 +74,4 @@ detection_methods: - "Natural Language Understanding" - "Sender analysis" +id: "e3ccd601-5774-5a74-a60c-4be8c055111e" From 509daadd6a72bbb08ac845e946cb743ca2f71989 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 2 Jan 2024 10:31:25 -0500 Subject: [PATCH 5/9] Update impersonation_employee_via_google_groups.yml --- detection-rules/impersonation_employee_via_google_groups.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/impersonation_employee_via_google_groups.yml b/detection-rules/impersonation_employee_via_google_groups.yml index 8ac9e103880..72fe5b43177 100644 --- a/detection-rules/impersonation_employee_via_google_groups.yml +++ b/detection-rules/impersonation_employee_via_google_groups.yml @@ -1,4 +1,4 @@ -name: "Employee Impersonation via Google Groups with suspicious indicators" +name: "Employee Impersonation via Google Group relay with suspicious indicators" description: "Public Google Groups can be used to impersonate internal senders, while the reply to address is not under organizational control, leading to fraud, credential phishing, or other unwanted outcomes. " type: "rule" From 82cc6baa7ba18478d2a1ba91f9eef939de3f891e Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 2 Jan 2024 10:49:31 -0500 Subject: [PATCH 6/9] Update impersonation_employee_via_google_groups.yml --- detection-rules/impersonation_employee_via_google_groups.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/impersonation_employee_via_google_groups.yml b/detection-rules/impersonation_employee_via_google_groups.yml index 72fe5b43177..12c54ba6bb4 100644 --- a/detection-rules/impersonation_employee_via_google_groups.yml +++ b/detection-rules/impersonation_employee_via_google_groups.yml @@ -10,7 +10,7 @@ source: | // subject or reply to is leveraging an org display name and ( any(headers.reply_to, .display_name in $org_display_names) - or any($org_display_names, strings.contains(., subject.subject)) + or any($display_names, strings.contains(subject.subject, .)) ) and any(headers.hops, any(.fields, From 3fb3602554180338689a89abb1a938a95c76fa14 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 2 Jan 2024 10:57:26 -0500 Subject: [PATCH 7/9] Update impersonation_employee_via_google_groups.yml --- .../impersonation_employee_via_google_groups.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/detection-rules/impersonation_employee_via_google_groups.yml b/detection-rules/impersonation_employee_via_google_groups.yml index 12c54ba6bb4..1bb34fdaf07 100644 --- a/detection-rules/impersonation_employee_via_google_groups.yml +++ b/detection-rules/impersonation_employee_via_google_groups.yml @@ -42,8 +42,13 @@ source: | // fake thread ( - (length(headers.references) == 0 and headers.in_reply_to is null) - or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + regex.imatch(subject.subject, "(re|fw(d)?)") + and ( + (length(headers.references) == 0 and headers.in_reply_to is null) + or not any(headers.hops, + any(.fields, strings.ilike(.name, "In-Reply-To")) + ) + ) ), // reply-to is freemail From 8c971727e926be161769f10b7d6d8b0b103f16e8 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 2 Jan 2024 10:58:29 -0500 Subject: [PATCH 8/9] Update impersonation_employee_via_google_groups.yml --- detection-rules/impersonation_employee_via_google_groups.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/impersonation_employee_via_google_groups.yml b/detection-rules/impersonation_employee_via_google_groups.yml index 1bb34fdaf07..ba7f86dd7f4 100644 --- a/detection-rules/impersonation_employee_via_google_groups.yml +++ b/detection-rules/impersonation_employee_via_google_groups.yml @@ -10,7 +10,7 @@ source: | // subject or reply to is leveraging an org display name and ( any(headers.reply_to, .display_name in $org_display_names) - or any($display_names, strings.contains(subject.subject, .)) + or any($org_display_names, strings.contains(subject.subject, .)) ) and any(headers.hops, any(.fields, From 59504e851ced273f2ddb169582b43a90754d4895 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 2 Jan 2024 11:04:18 -0500 Subject: [PATCH 9/9] Update impersonation_employee_via_google_groups.yml --- detection-rules/impersonation_employee_via_google_groups.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/impersonation_employee_via_google_groups.yml b/detection-rules/impersonation_employee_via_google_groups.yml index ba7f86dd7f4..6577715c5b5 100644 --- a/detection-rules/impersonation_employee_via_google_groups.yml +++ b/detection-rules/impersonation_employee_via_google_groups.yml @@ -42,7 +42,7 @@ source: | // fake thread ( - regex.imatch(subject.subject, "(re|fw(d)?)") + regex.imatch(subject.subject, "(re|fw(d)?):.*") and ( (length(headers.references) == 0 and headers.in_reply_to is null) or not any(headers.hops,