From 12dfe321803a305f2b52d2c970328ab78d3a4bee Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Thu, 21 Nov 2024 13:51:07 -0600 Subject: [PATCH 1/6] Create impersonation_capitalone.yml --- detection-rules/impersonation_capitalone.yml | 71 ++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 detection-rules/impersonation_capitalone.yml diff --git a/detection-rules/impersonation_capitalone.yml b/detection-rules/impersonation_capitalone.yml new file mode 100644 index 00000000000..5691502d9cc --- /dev/null +++ b/detection-rules/impersonation_capitalone.yml @@ -0,0 +1,71 @@ +name: "Brand Impersonation: Capital One " +description: "This detection rule identifies inbound messages containing Capital One branding indicators in display names, sender addresses, message content, or embedded logos, while excluding legitimate Capital One domains and authenticated communications from known trusted senders." +type: "rule" +severity: "" +source: | + type.inbound + and + // display name contains captialone + ( + strings.icontains(strings.replace_confusables(sender.display_name), + 'Capital One' + ) + // no spaces + or strings.icontains(strings.replace_confusables(sender.display_name), + 'Capital One' + ) + // levenshtein distince similar to captial one + or strings.ilevenshtein(strings.replace_confusables(sender.display_name), + 'Capital One' + ) <= 2 + // sender localpart contains captialone + or strings.icontains(strings.replace_confusables(sender.email.local_part), + 'capitalone' + ) + // indicators in the footer + or strings.ilike(strings.replace_confusables(body.current_thread.text), + 'Capital One Financial Corp' + ) + or strings.ilike(strings.replace_confusables(body.current_thread.text), + '1680 Capital One Drive' + ) + or any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Capital One Bank" and .confidence != "low") + + ) + and not ( + sender.email.domain.root_domain in $org_domains + or ( + sender.email.domain.root_domain in ( + "capitalone.com", + "capitaloneshopping.com", + "capitalonesoftware.com", + "olbanking.com", // a fiserv.one domain + "bynder.com", // Digital Assest Mgmt + "gcs-web.com", // investor relations run by capital one + "capitalonearena.com", // the arena + "monumentalsports.com", // the company that owns a bunch of teams that play at the arena? + ) + and headers.auth_summary.dmarc.pass + ) + ) + + // and the sender is not from high trust sender root domains + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "Sender analysis" + - "Header analysis" From 08a1b0833c38627a22731582d818d53e61bc1309 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Thu, 21 Nov 2024 20:15:27 +0000 Subject: [PATCH 2/6] Auto add rule ID --- detection-rules/impersonation_capitalone.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/impersonation_capitalone.yml b/detection-rules/impersonation_capitalone.yml index 5691502d9cc..2f8b83288f3 100644 --- a/detection-rules/impersonation_capitalone.yml +++ b/detection-rules/impersonation_capitalone.yml @@ -69,3 +69,4 @@ detection_methods: - "Computer Vision" - "Sender analysis" - "Header analysis" +id: "d53848e4-fc40-5bd1-ad5e-c9c4e85a669f" From 74139e76373f352b20e37ee70b8baea39bc9127e Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Fri, 22 Nov 2024 17:06:31 -0600 Subject: [PATCH 3/6] Update impersonation_capitalone.yml --- detection-rules/impersonation_capitalone.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detection-rules/impersonation_capitalone.yml b/detection-rules/impersonation_capitalone.yml index 2f8b83288f3..f906ba5c248 100644 --- a/detection-rules/impersonation_capitalone.yml +++ b/detection-rules/impersonation_capitalone.yml @@ -1,7 +1,7 @@ -name: "Brand Impersonation: Capital One " +name: "Brand Impersonation: Capital One" description: "This detection rule identifies inbound messages containing Capital One branding indicators in display names, sender addresses, message content, or embedded logos, while excluding legitimate Capital One domains and authenticated communications from known trusted senders." type: "rule" -severity: "" +severity: "high" source: | type.inbound and From 1cbbea7d84875c4efa25d9c6990625ee143b48ff Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Mon, 25 Nov 2024 15:42:53 -0600 Subject: [PATCH 4/6] Update impersonation_capitalone.yml --- detection-rules/impersonation_capitalone.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/detection-rules/impersonation_capitalone.yml b/detection-rules/impersonation_capitalone.yml index f906ba5c248..8912cfb97ab 100644 --- a/detection-rules/impersonation_capitalone.yml +++ b/detection-rules/impersonation_capitalone.yml @@ -44,6 +44,7 @@ source: | "gcs-web.com", // investor relations run by capital one "capitalonearena.com", // the arena "monumentalsports.com", // the company that owns a bunch of teams that play at the arena? + "ticketmaster.com", // sell and advertises tickets at Capital One Arena ) and headers.auth_summary.dmarc.pass ) @@ -57,8 +58,6 @@ source: | ) or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) - - attack_types: - "Credential Phishing" tactics_and_techniques: From 559c491e0f2fe31befa8938b427d623c0b12e4fe Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Mon, 25 Nov 2024 15:59:42 -0600 Subject: [PATCH 5/6] Update impersonation_capitalone.yml --- detection-rules/impersonation_capitalone.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/impersonation_capitalone.yml b/detection-rules/impersonation_capitalone.yml index 8912cfb97ab..d76bec71f56 100644 --- a/detection-rules/impersonation_capitalone.yml +++ b/detection-rules/impersonation_capitalone.yml @@ -36,6 +36,7 @@ source: | sender.email.domain.root_domain in $org_domains or ( sender.email.domain.root_domain in ( + "capitalone.co.uk", "capitalone.com", "capitaloneshopping.com", "capitalonesoftware.com", From 6999d94a0a17cb1f7fb8402a12d7f36d3ea99cc2 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Wed, 11 Dec 2024 00:02:40 -0600 Subject: [PATCH 6/6] Update impersonation_capitalone.yml --- detection-rules/impersonation_capitalone.yml | 56 ++++++++++++-------- 1 file changed, 35 insertions(+), 21 deletions(-) diff --git a/detection-rules/impersonation_capitalone.yml b/detection-rules/impersonation_capitalone.yml index d76bec71f56..c3a4a55725c 100644 --- a/detection-rules/impersonation_capitalone.yml +++ b/detection-rules/impersonation_capitalone.yml @@ -5,32 +5,38 @@ severity: "high" source: | type.inbound and - // display name contains captialone + // display name contains captialone + ( ( strings.icontains(strings.replace_confusables(sender.display_name), 'Capital One' ) - // no spaces - or strings.icontains(strings.replace_confusables(sender.display_name), - 'Capital One' + and not strings.icontains(strings.replace_confusables(sender.display_name), + 'Capital One Arena' ) - // levenshtein distince similar to captial one - or strings.ilevenshtein(strings.replace_confusables(sender.display_name), - 'Capital One' - ) <= 2 - // sender localpart contains captialone - or strings.icontains(strings.replace_confusables(sender.email.local_part), - 'capitalone' - ) - // indicators in the footer - or strings.ilike(strings.replace_confusables(body.current_thread.text), - 'Capital One Financial Corp' - ) - or strings.ilike(strings.replace_confusables(body.current_thread.text), - '1680 Capital One Drive' - ) - or any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Capital One Bank" and .confidence != "low") - + ) + // no spaces + or strings.icontains(strings.replace_confusables(sender.display_name), + 'CapitalOne' + ) + // levenshtein distince similar to captial one + or strings.ilevenshtein(strings.replace_confusables(sender.display_name), + 'Capital One' + ) <= 2 + // sender localpart contains captialone + or strings.icontains(strings.replace_confusables(sender.email.local_part), + 'capitalone' + ) + // indicators in the footer + or strings.ilike(strings.replace_confusables(body.current_thread.text), + 'Capital One Financial Corp' + ) + or strings.ilike(strings.replace_confusables(body.current_thread.text), + '1680 Capital One Drive' + ) + or any(ml.logo_detect(beta.message_screenshot()).brands, + .name == "Capital One Bank" and .confidence != "low" + ) ) and not ( sender.email.domain.root_domain in $org_domains @@ -40,6 +46,8 @@ source: | "capitalone.com", "capitaloneshopping.com", "capitalonesoftware.com", + "capitalonebooking.com", + "capitalonetravel.com", "olbanking.com", // a fiserv.one domain "bynder.com", // Digital Assest Mgmt "gcs-web.com", // investor relations run by capital one @@ -50,6 +58,12 @@ source: | and headers.auth_summary.dmarc.pass ) ) + // avoid FPs on branded cards by checking for common disclaimer text + // Capital One uses Visa and Mastercard + // https://www.capitalone.com/learn-grow/money-management/is-capital-one-visa-or-mastercard/ + and not strings.icontains(body.current_thread.text, + 'Mastercard is a registered trademark, and the circles design is a trademark of Mastercard International Incorporated' + ) // and the sender is not from high trust sender root domains and (