From 3087241f53598654613a282a0bccede2a94d81d2 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 17 Aug 2023 16:00:16 -0400 Subject: [PATCH 1/4] New Rule: Headers: Recipient SLD matches X-mailer --- .../headers_recipient_sld_matches_mailer.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 detection-rules/headers_recipient_sld_matches_mailer.yml diff --git a/detection-rules/headers_recipient_sld_matches_mailer.yml b/detection-rules/headers_recipient_sld_matches_mailer.yml new file mode 100644 index 00000000000..9c3bb76f7ca --- /dev/null +++ b/detection-rules/headers_recipient_sld_matches_mailer.yml @@ -0,0 +1,12 @@ +name: "Headers: Recipient SLD matches X-mailer" +description: | + This rule inspects messages where the recipients Single Level Domain (SLD) is an exact match of the X-mailer value. This has been observed in Credential Phishing campaigns. +references: + +type: "rule" +severity: "medium" +source: | + type.inbound and any(recipients.to, .email.domain.sld == headers.mailer) + +tags: + \ No newline at end of file From cef25455c85a02a4db35770c88a15874db1b0b61 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 17 Aug 2023 16:03:17 -0400 Subject: [PATCH 2/4] Update headers_recipient_sld_matches_mailer.yml --- detection-rules/headers_recipient_sld_matches_mailer.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/detection-rules/headers_recipient_sld_matches_mailer.yml b/detection-rules/headers_recipient_sld_matches_mailer.yml index 9c3bb76f7ca..5fbd790d400 100644 --- a/detection-rules/headers_recipient_sld_matches_mailer.yml +++ b/detection-rules/headers_recipient_sld_matches_mailer.yml @@ -7,6 +7,8 @@ type: "rule" severity: "medium" source: | type.inbound and any(recipients.to, .email.domain.sld == headers.mailer) +attack_types: + - "Credential Phishing" +detection_methods: + - "Header analysis" -tags: - \ No newline at end of file From 98239c8fa4182985bba7ac0783d63c348eba4106 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 17 Aug 2023 16:03:48 -0400 Subject: [PATCH 3/4] Update headers_recipient_sld_matches_mailer.yml --- detection-rules/headers_recipient_sld_matches_mailer.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/detection-rules/headers_recipient_sld_matches_mailer.yml b/detection-rules/headers_recipient_sld_matches_mailer.yml index 5fbd790d400..c081f5f9981 100644 --- a/detection-rules/headers_recipient_sld_matches_mailer.yml +++ b/detection-rules/headers_recipient_sld_matches_mailer.yml @@ -1,8 +1,6 @@ name: "Headers: Recipient SLD matches X-mailer" description: | - This rule inspects messages where the recipients Single Level Domain (SLD) is an exact match of the X-mailer value. This has been observed in Credential Phishing campaigns. -references: - + This rule flags messages where the recipients Single Level Domain (SLD) is an exact match of the X-mailer value. This has been observed in Credential Phishing campaigns. type: "rule" severity: "medium" source: | From 7dda1aa68e412d27faecf2cf2c7851146fb11ea4 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Thu, 17 Aug 2023 20:06:01 +0000 Subject: [PATCH 4/4] Auto add rule ID --- detection-rules/headers_recipient_sld_matches_mailer.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/headers_recipient_sld_matches_mailer.yml b/detection-rules/headers_recipient_sld_matches_mailer.yml index c081f5f9981..f9e592b1f47 100644 --- a/detection-rules/headers_recipient_sld_matches_mailer.yml +++ b/detection-rules/headers_recipient_sld_matches_mailer.yml @@ -10,3 +10,4 @@ attack_types: detection_methods: - "Header analysis" +id: "0eca4648-0e8a-5602-8e7b-d2233c983a33"