From 93a07e7a83ff5c683d375973dd2ac9c9d63ce87d Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Fri, 1 Nov 2024 09:15:42 -0500 Subject: [PATCH 1/7] Create abuse_dropbox_unsolicited_reply-to.yml --- .../abuse_dropbox_unsolicited_reply-to.yml | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 detection-rules/abuse_dropbox_unsolicited_reply-to.yml diff --git a/detection-rules/abuse_dropbox_unsolicited_reply-to.yml b/detection-rules/abuse_dropbox_unsolicited_reply-to.yml new file mode 100644 index 00000000000..6348a144ccc --- /dev/null +++ b/detection-rules/abuse_dropbox_unsolicited_reply-to.yml @@ -0,0 +1,56 @@ +name: "Service Abuse: DropBox Share From an Unsolicited Reply-To Address" +description: "This rule detects DropBox shares notifications which contain a reply-to address or domain that has not been previously observed sending messages to or receveing messages from the recipient organization." +type: "rule" +severity: "medium" +source: | + type.inbound + + // Legitimate Dropbox sending infratructure + and sender.email.email == "no-reply@dropbox.com" + and headers.auth_summary.spf.pass + and headers.auth_summary.dmarc.pass + and strings.ends_with(headers.auth_summary.spf.details.designator, + '.dropbox.com' + ) + and strings.icontains(subject.subject, 'shared') + and strings.icontains(subject.subject, 'with you') + + and length(headers.reply_to) > 0 + // reply-to email address has never been sent an email by the org + and not ( + any(headers.reply_to, .email.email in $recipient_emails) + // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains + or any(filter(headers.reply_to, + // filter the list to only emails that are not in free_email_providers + ( + .email.domain.domain not in $free_email_providers + or .email.domain.root_domain not in $free_email_providers + ) + ), + .email.domain.domain in $recipient_domains + ) + ) + // reply-to address has never sent an email to the org + and not ( + any(headers.reply_to, .email.email in $sender_emails) + // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains + or any(filter(headers.reply_to, + // filter the list to only emails that are not in free_email_providers + ( + .email.domain.domain not in $free_email_providers + or .email.domain.domain not in $free_email_providers + ) + ), + .email.domain.root_domain in $sender_domains + ) + ) +attack_types: + - "Callback Phishing" + - "BEC/Fraud" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Sender analysis" + - "Header analysis" + - "Content analysis" From 2a9c38667a42b5a2ee04f1792f07060180ece198 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Fri, 1 Nov 2024 14:22:36 +0000 Subject: [PATCH 2/7] Auto add rule ID --- detection-rules/abuse_dropbox_unsolicited_reply-to.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/abuse_dropbox_unsolicited_reply-to.yml b/detection-rules/abuse_dropbox_unsolicited_reply-to.yml index 6348a144ccc..67e65449ec1 100644 --- a/detection-rules/abuse_dropbox_unsolicited_reply-to.yml +++ b/detection-rules/abuse_dropbox_unsolicited_reply-to.yml @@ -54,3 +54,4 @@ detection_methods: - "Sender analysis" - "Header analysis" - "Content analysis" +id: "50a1499f-bb59-5ee0-b4f4-e3cc84a5c41e" From 94a735c8f3bdfb770f8c56e0819ea3a26d78545d Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Tue, 5 Nov 2024 23:02:57 -0600 Subject: [PATCH 3/7] make it an ASR rule --- detection-rules/abuse_dropbox_unsolicited_reply-to.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/detection-rules/abuse_dropbox_unsolicited_reply-to.yml b/detection-rules/abuse_dropbox_unsolicited_reply-to.yml index 67e65449ec1..76f9148a41d 100644 --- a/detection-rules/abuse_dropbox_unsolicited_reply-to.yml +++ b/detection-rules/abuse_dropbox_unsolicited_reply-to.yml @@ -44,6 +44,8 @@ source: | .email.domain.root_domain in $sender_domains ) ) +tags: + - "Attack surface reduction" attack_types: - "Callback Phishing" - "BEC/Fraud" From f346f4648b1a93e1706d1b27c94674703c6e5500 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Tue, 10 Dec 2024 14:49:59 -0600 Subject: [PATCH 4/7] use email.domain.domain instead of root_domain --- detection-rules/abuse_dropbox_unsolicited_reply-to.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/abuse_dropbox_unsolicited_reply-to.yml b/detection-rules/abuse_dropbox_unsolicited_reply-to.yml index 76f9148a41d..d70c91c8e4a 100644 --- a/detection-rules/abuse_dropbox_unsolicited_reply-to.yml +++ b/detection-rules/abuse_dropbox_unsolicited_reply-to.yml @@ -41,7 +41,7 @@ source: | or .email.domain.domain not in $free_email_providers ) ), - .email.domain.root_domain in $sender_domains + .email.domain.domain in $sender_domains ) ) tags: From cd2e9510d26c1e32d46eb1c2cb822bcbc3981091 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Fri, 13 Dec 2024 19:08:31 -0600 Subject: [PATCH 5/7] Update detection-rules/abuse_dropbox_unsolicited_reply-to.yml Co-authored-by: Aiden Mitchell --- detection-rules/abuse_dropbox_unsolicited_reply-to.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/abuse_dropbox_unsolicited_reply-to.yml b/detection-rules/abuse_dropbox_unsolicited_reply-to.yml index d70c91c8e4a..f28519cb008 100644 --- a/detection-rules/abuse_dropbox_unsolicited_reply-to.yml +++ b/detection-rules/abuse_dropbox_unsolicited_reply-to.yml @@ -1,4 +1,4 @@ -name: "Service Abuse: DropBox Share From an Unsolicited Reply-To Address" +name: "Service Abuse: Dropbox Share From an Unsolicited Reply-To Address" description: "This rule detects DropBox shares notifications which contain a reply-to address or domain that has not been previously observed sending messages to or receveing messages from the recipient organization." type: "rule" severity: "medium" From 44866797175d9e598a5318ac8aa5b191ed969dbd Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Fri, 13 Dec 2024 19:08:39 -0600 Subject: [PATCH 6/7] Update detection-rules/abuse_dropbox_unsolicited_reply-to.yml Co-authored-by: Aiden Mitchell --- detection-rules/abuse_dropbox_unsolicited_reply-to.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/abuse_dropbox_unsolicited_reply-to.yml b/detection-rules/abuse_dropbox_unsolicited_reply-to.yml index f28519cb008..ee127ac1c9f 100644 --- a/detection-rules/abuse_dropbox_unsolicited_reply-to.yml +++ b/detection-rules/abuse_dropbox_unsolicited_reply-to.yml @@ -1,5 +1,5 @@ name: "Service Abuse: Dropbox Share From an Unsolicited Reply-To Address" -description: "This rule detects DropBox shares notifications which contain a reply-to address or domain that has not been previously observed sending messages to or receveing messages from the recipient organization." +description: "This rule detects Dropbox share notifications which contain a reply-to address or domain that has not been previously observed sending messages to or receiving messages from the recipient organization." type: "rule" severity: "medium" source: | From a39318a1192f282b8a927d82b1e91a28859bf058 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Wed, 18 Dec 2024 09:49:08 -0600 Subject: [PATCH 7/7] Update abuse_dropbox_unsolicited_reply-to.yml use root_domain instead of duplicate domain.domain --- detection-rules/abuse_dropbox_unsolicited_reply-to.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/abuse_dropbox_unsolicited_reply-to.yml b/detection-rules/abuse_dropbox_unsolicited_reply-to.yml index ee127ac1c9f..92811c145ff 100644 --- a/detection-rules/abuse_dropbox_unsolicited_reply-to.yml +++ b/detection-rules/abuse_dropbox_unsolicited_reply-to.yml @@ -38,7 +38,7 @@ source: | // filter the list to only emails that are not in free_email_providers ( .email.domain.domain not in $free_email_providers - or .email.domain.domain not in $free_email_providers + or .email.domain.root_domain not in $free_email_providers ) ), .email.domain.domain in $sender_domains