From bff727a3c49a5da931a4b60fc6d9039eefbb52ce Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Fri, 13 Dec 2024 14:17:46 -0800 Subject: [PATCH 1/2] Create bec_urgent_suspicious_patterns.yml --- .../bec_urgent_suspicious_patterns.yml | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 detection-rules/bec_urgent_suspicious_patterns.yml diff --git a/detection-rules/bec_urgent_suspicious_patterns.yml b/detection-rules/bec_urgent_suspicious_patterns.yml new file mode 100644 index 00000000000..9e094613bde --- /dev/null +++ b/detection-rules/bec_urgent_suspicious_patterns.yml @@ -0,0 +1,60 @@ +name: "BEC/Fraud: Urgent Language and Suspicious Sending/Infrastructure Patterns" +description: "Identifies inbound messages using urgent language patterns and sender behavioral traits common in social manipulation. Combines multiple indicators including urgent subject lines, characteristic message content, short message length, and suspicious sender attributes." +type: "rule" +severity: "medium" +source: | + type.inbound + + and 3 of ( + // urgent subjects + strings.ilike(subject.subject, '*quick question*'), + strings.ilike(subject.subject, '*urgent*request*'), + strings.ilike(subject.subject, '*are you available*'), + strings.ilike(subject.subject, '*need assistance*'), + strings.ilike(subject.subject, '*help*needed*'), + + // BEC body patterns + strings.ilike(body.current_thread.text, '*sorry to bother*'), + strings.ilike(body.current_thread.text, '*are you busy*'), + strings.ilike(body.current_thread.text, '*can you help*'), + strings.ilike(body.current_thread.text, '*do you have a moment*'), + strings.ilike(body.current_thread.text, '*please respond*asap*'), + + // brand name + strings.ilike(body.current_thread.text, '*amaz*n*'), // Catches "Amaz on", "Amazon", etc. + strings.ilike(body.current_thread.text, '*pay*pal*'), + strings.ilike(body.current_thread.text, '*app*le*'), + + // short body + length(body.current_thread.text) < 200, + strings.count(body.current_thread.text, ' ') < 30 + ) + + and 3 of ( + // suspicious sender + sender.email.domain.root_domain in $free_email_providers, + network.whois(sender.email.domain).days_old < 30, + + // suspicious recipient pattern + any(recipients.to, strings.ilike(.display_name, 'undisclosed?recipients')), + length(recipients.to) == 1, // Single recipient + + // header checks + strings.starts_with(headers.mailer, 'Open-Xchange Mailer'), + strings.ilike(headers.x_originating_ip.ip, '*.*.*.0'), // Common in some BEC campaigns + ) + and profile.by_sender_email().prevalence not in ("common") + +attack_types: + - "BEC/Fraud" + - "Callback Phishing" + - "Spam" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" + - "Free email provider" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" + - "Whois" From 9edb1c46ffa36447bcbcebc1dd73df99ec44e4e1 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Fri, 13 Dec 2024 22:18:53 +0000 Subject: [PATCH 2/2] Auto add rule ID --- detection-rules/bec_urgent_suspicious_patterns.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/bec_urgent_suspicious_patterns.yml b/detection-rules/bec_urgent_suspicious_patterns.yml index 9e094613bde..5dfc0c6575a 100644 --- a/detection-rules/bec_urgent_suspicious_patterns.yml +++ b/detection-rules/bec_urgent_suspicious_patterns.yml @@ -58,3 +58,4 @@ detection_methods: - "Header analysis" - "Sender analysis" - "Whois" +id: "ba8a79e0-cce3-57e8-bbc7-3b3d9f848761"