Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create lookalike_domain_with_suspicious_language.yml #2197

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Create lookalike_domain_with_suspicious_language.yml #2197

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
be37e75
Create lookalike_domain_with_suspicious_language.yml
morriscode Dec 6, 2024
5b7b29f
Update lookalike_domain_with_suspicious_language.yml
morriscode Dec 6, 2024
f0b99c7
Auto add rule ID
Dec 6, 2024
0a72154
Update lookalike_domain_with_suspicious_language.yml
morriscode Dec 11, 2024
17f3e2c
Merge branch 'main' into morriscode-patch-54
morriscode Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions detection-rules/lookalike_domain_with_suspicious_language.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: "Suspected Lookalike domain with suspicious language"
description: "This rule identifies messages where links use typosquatting or lookalike domains similar to the sender domain, with at least one domain being either unregistered or recently registered (≤90 days). The messages must also contain indicators of business email compromise (BEC), credential theft, or abusive language patterns like financial terms or polite phrasing such as kindly. This layered approach targets phishing attempts combining domain deception with manipulative content"
type: "rule"
severity: "high"
source: |
type.inbound

// levenshtein distance (edit distance) between the SLD of the link and the sender domain is greater than 0 and less than or equal to 2.
// This detects typosquatting or domains that are deceptively similar to the sender.

and any(body.links,
length(.href_url.domain.sld) > 3
and 0 < strings.levenshtein(.href_url.domain.sld,
sender.email.domain.sld
) <= 2
//exclude onmicrosoft.com
and not sender.email.domain.root_domain == "onmicrosoft.com"
and (
// domains are not registered or registered within 90d
// network.whois(.href_url.domain).found == false
network.whois(.href_url.domain).days_old <= 90
or network.whois(sender.email.domain).found == false
or network.whois(sender.email.domain).days_old <= 90
)
)
// the mesasge is intent is BEC or Cred Theft, or is talking about financial invoicing/banking language, or a request contains "kindly"
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("bec", "cred_theft")
or any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "financial"
and (
.text in ("invoice", "banking information")
or .name == "request" and strings.icontains(.text, "kindly")
)
)
)

attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Evasion"
- "Lookalike domain"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Natural Language Understanding"
- "Sender analysis"
- "Whois"
id: "3674ced0-691c-5faa-9ced-922e7201dc29"
Loading