Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create abuse_docsend_unsolicited_reply-to.yml #2165

Merged
merged 8 commits into from
Dec 18, 2024
Merged

Create abuse_docsend_unsolicited_reply-to.yml #2165

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
f2bf3cb
Create abuse_docsend_unsolicited_reply-to.yml
zoomequipd Nov 25, 2024
bb0a38d
Auto add rule ID
Nov 25, 2024
aea6a3b
Update abuse_docsend_unsolicited_reply-to.yml
zoomequipd Dec 11, 2024
8573fac
Merge branch 'main' into zoomequipd-patch-32
zoomequipd Dec 11, 2024
13e482b
Update detection-rules/abuse_docsend_unsolicited_reply-to.yml
zoomequipd Dec 14, 2024
2036440
Merge branch 'main' into zoomequipd-patch-32
zoomequipd Dec 14, 2024
22f012c
Update abuse_docsend_unsolicited_reply-to.yml
zoomequipd Dec 18, 2024
1309826
Merge branch 'main' into zoomequipd-patch-32
zoomequipd Dec 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions detection-rules/abuse_docsend_unsolicited_reply-to.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
name: "Service Abuse: DocSend Share From an Unsolicited Reply-To Address"
description: "DocSend shares which contain a reply-to address or domain that has not been previously observed by the recipient organization."
type: "rule"
severity: "high"
source: |
type.inbound

// Legitimate DocSend sending infratructure
and sender.email.email == "[email protected]"
and headers.auth_summary.spf.pass
and headers.auth_summary.dmarc.pass

// the message needs to have a reply-to address
and length(headers.reply_to) > 0

// reply-to email address has never been sent an email by the org
and not (
any(headers.reply_to, .email.email in $recipient_emails)
// if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains
or any(filter(headers.reply_to,
// filter the list to only emails that are not in free_email_providers
(
.email.domain.domain not in $free_email_providers
or .email.domain.root_domain not in $free_email_providers
)
),
.email.domain.domain in $recipient_domains
)
)
// reply-to address has never sent an email to the org
and not (
any(headers.reply_to, .email.email in $sender_emails)
// if the reply-to address is NOT in free_email_providers, check the domain in sender_domains
or any(filter(headers.reply_to,
// filter the list to only emails that are not in free_email_providers
(
.email.domain.domain not in $free_email_providers
or .email.domain.root_domain not in $free_email_providers
)
),
.email.domain.domain in $sender_domains
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Free file host"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "b377e64c-21bd-5040-86ec-534e545a42db"
Loading