Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Rule: Employee Impersonation via Google Groups #1212

Closed
wants to merge 9 commits into from
Closed

New Rule: Employee Impersonation via Google Groups #1212

Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
bebc89d
New Rule: Employee Impersonation via Google Groups
morriscode Jan 2, 2024
da2aa9b
Update impersonation_employee_via_google_groups.yml
morriscode Jan 2, 2024
4c27f1b
Rename impersonation_employee_via_google_groups.yml to detection-rule…
morriscode Jan 2, 2024
22a1340
Auto add rule ID
Jan 2, 2024
509daad
Update impersonation_employee_via_google_groups.yml
morriscode Jan 2, 2024
82cc6ba
Update impersonation_employee_via_google_groups.yml
morriscode Jan 2, 2024
3fb3602
Update impersonation_employee_via_google_groups.yml
morriscode Jan 2, 2024
8c97172
Update impersonation_employee_via_google_groups.yml
morriscode Jan 2, 2024
59504e8
Update impersonation_employee_via_google_groups.yml
morriscode Jan 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 82 additions & 0 deletions detection-rules/impersonation_employee_via_google_groups.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
name: "Employee Impersonation via Google Group relay with suspicious indicators"
description: "Public Google Groups can be used to impersonate internal senders, while the reply to address is not under organizational control, leading to fraud, credential phishing, or other unwanted outcomes.
"
type: "rule"
severity: "high"
source: |
(type.inbound or type.internal)
and sender.email.domain.root_domain in $org_domains

// subject or reply to is leveraging an org display name
and (
any(headers.reply_to, .display_name in $org_display_names)
or any($org_display_names, strings.contains(subject.subject, .))
)
and any(headers.hops,
any(.fields,
regex.icontains(.name,
"X-Authenticated-Sender|X-Sender|X-Original-Sender"
)
)
)

// reply to return path mismatch and not org domain
and any(headers.reply_to,
.email.domain.root_domain != headers.return_path.domain.root_domain
and .email.domain.root_domain not in $org_domains
)

// googlegroups found in hops
and any(headers.hops,
.index == 0 and any(.fields, strings.icontains(.value, "googlegroups"))
)

// financial nlu entity in current thread
and 3 of (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "financial"
),

// invoice entity in display_text
any(ml.nlu_classifier(body.html.display_text).tags, .name == "invoice"),

// fake thread
(
regex.imatch(subject.subject, "(re|fw(d)?):.*")
and (
(length(headers.references) == 0 and headers.in_reply_to is null)
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
),

// reply-to is freemail
any(headers.reply_to, .email.domain.domain in $free_email_providers),

// reply-to is not in $recipient_emails
any(headers.reply_to, .email.email not in $recipient_emails),

// dmarc authentication is freemail provider
any(distinct(headers.hops, .authentication_results.dmarc is not null),
.authentication_results.dmarc_details.from.domain in $free_email_providers
)
)

attack_types:
- "BEC/Fraud"
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Free email provider"
- "Impersonation: Employee"
- "Social engineering"
- "Spoofing"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Sender analysis"

id: "e3ccd601-5774-5a74-a60c-4be8c055111e"
Loading