From 38b879571364b00b736626e9912d84bc0e563e58 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Tue, 10 Dec 2024 15:50:37 -0800 Subject: [PATCH 1/4] Create infra_abuse_hardbacon.yml --- detection-rules/infra_abuse_hardbacon.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 detection-rules/infra_abuse_hardbacon.yml diff --git a/detection-rules/infra_abuse_hardbacon.yml b/detection-rules/infra_abuse_hardbacon.yml new file mode 100644 index 00000000000..43de3b76b1c --- /dev/null +++ b/detection-rules/infra_abuse_hardbacon.yml @@ -0,0 +1,19 @@ +name: "Hardbacon infrastructure abuse" +description: "Hardbacon is a defunt Canadian budgeting app. Attackers have been observed using their marketing platform to send credential phishing messages." +type: "rule" +severity: "high" +source: | + type.inbound + and sender.email.domain.root_domain in ('hardbacon.com', 'hardbacon.ca') + and headers.auth_summary.dmarc.pass + and headers.auth_summary.spf.pass + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" From fd573b84774492de044b50be567252875d61eb4a Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Tue, 10 Dec 2024 15:51:26 -0800 Subject: [PATCH 2/4] Update infra_abuse_hardbacon.yml --- detection-rules/infra_abuse_hardbacon.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/infra_abuse_hardbacon.yml b/detection-rules/infra_abuse_hardbacon.yml index 43de3b76b1c..3cfd5980549 100644 --- a/detection-rules/infra_abuse_hardbacon.yml +++ b/detection-rules/infra_abuse_hardbacon.yml @@ -1,5 +1,5 @@ name: "Hardbacon infrastructure abuse" -description: "Hardbacon is a defunt Canadian budgeting app. Attackers have been observed using their marketing platform to send credential phishing messages." +description: "Hardbacon is a defunct Canadian budgeting app. Attackers have been observed using their marketing platform to send credential phishing messages." type: "rule" severity: "high" source: | From 66eff76a518f360508bc71b32ccf9d9c82978108 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Tue, 10 Dec 2024 23:52:13 +0000 Subject: [PATCH 3/4] Auto add rule ID --- detection-rules/infra_abuse_hardbacon.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/infra_abuse_hardbacon.yml b/detection-rules/infra_abuse_hardbacon.yml index 3cfd5980549..3721f8f4f01 100644 --- a/detection-rules/infra_abuse_hardbacon.yml +++ b/detection-rules/infra_abuse_hardbacon.yml @@ -17,3 +17,4 @@ tactics_and_techniques: detection_methods: - "Header analysis" - "Sender analysis" +id: "5330db42-10d2-5671-bcb2-a99449ac24c2" From 20331dceba1b651e28a12fc9a0d5608f0a2bd136 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Fri, 20 Dec 2024 10:09:37 -0800 Subject: [PATCH 4/4] Update infra_abuse_hardbacon.yml --- detection-rules/infra_abuse_hardbacon.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/infra_abuse_hardbacon.yml b/detection-rules/infra_abuse_hardbacon.yml index 3721f8f4f01..5f741f1e27e 100644 --- a/detection-rules/infra_abuse_hardbacon.yml +++ b/detection-rules/infra_abuse_hardbacon.yml @@ -5,6 +5,7 @@ severity: "high" source: | type.inbound and sender.email.domain.root_domain in ('hardbacon.com', 'hardbacon.ca') + and headers.mailer == 'Sendinblue' and headers.auth_summary.dmarc.pass and headers.auth_summary.spf.pass