From 7b006083f37652bd5f3f1b1265755dc945c7d4cd Mon Sep 17 00:00:00 2001
From: Sam Scholten <morriscode@gmail.com>
Date: Mon, 28 Aug 2023 21:33:03 -0400
Subject: [PATCH 1/4] New Rule: Suspicious TLD in headers with SPF/DMARC
 failures or high confidence credential theft

---
 ..._in_hops_with_authfailure_or_credtheft.yml | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml

diff --git a/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml b/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml
new file mode 100644
index 00000000000..816daec9ff9
--- /dev/null
+++ b/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml
@@ -0,0 +1,28 @@
+name: "Suspicious TLD in headers with SPF/DMARC failures or high confidence credential theft"
+description: |
+  Flags inbound emails with suspicious TLDs in the headers, SPF/DMARC failures, or high-confidence credential theft indicators
+references:
+  
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(headers.domains, .tld in $suspicious_tlds)
+  // SPF Errors/Failures or DMARC Fail
+  and (
+    any(distinct(headers.hops, .received_spf.verdict is not null),
+        regex.icontains(.received_spf.verdict, "fail|error")
+        or any(distinct(headers.hops, .authentication_results.dmarc is not null),
+               strings.ilike(.authentication_results.dmarc, "*fail")
+  
+               // Or Cred_theft confidence High
+               or any(ml.nlu_classifier(body.current_thread.text).intents,
+                      .name in ("cred_theft") and .confidence == "high"
+               )
+        )
+    )
+  )
+  
+  
+tags: 
+  
\ No newline at end of file

From b20fe4713360af61335a5d9054fdb59afcd3eb66 Mon Sep 17 00:00:00 2001
From: Sam Scholten <morriscode@gmail.com>
Date: Mon, 28 Aug 2023 21:34:48 -0400
Subject: [PATCH 2/4] Update
 headers_tld_in_hops_with_authfailure_or_credtheft.yml

---
 ...ers_tld_in_hops_with_authfailure_or_credtheft.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml b/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml
index 816daec9ff9..995fdce76f0 100644
--- a/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml
+++ b/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml
@@ -1,8 +1,6 @@
 name: "Suspicious TLD in headers with SPF/DMARC failures or high confidence credential theft"
 description: |
   Flags inbound emails with suspicious TLDs in the headers, SPF/DMARC failures, or high-confidence credential theft indicators
-references:
-  
 type: "rule"
 severity: "medium"
 source: |
@@ -22,7 +20,9 @@ source: |
         )
     )
   )
-  
-  
-tags: 
-  
\ No newline at end of file
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+detection_methods:
+  - "Header analysis"
+  - "Natural Language Understanding"

From 8b3a7e8282ce40f49cfdcff873129b8aa1130157 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Tue, 29 Aug 2023 01:36:54 +0000
Subject: [PATCH 3/4] Auto add rule ID

---
 .../headers_tld_in_hops_with_authfailure_or_credtheft.yml        | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml b/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml
index 995fdce76f0..bcb15a9259a 100644
--- a/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml
+++ b/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml
@@ -26,3 +26,4 @@ attack_types:
 detection_methods:
   - "Header analysis"
   - "Natural Language Understanding"
+id: "e8696023-4a1e-542a-8c22-784a3d33c7a4"

From 4eb80d9eb3ddeb14d9a47b72ad711f41ea64b00c Mon Sep 17 00:00:00 2001
From: Sam Scholten <morriscode@gmail.com>
Date: Mon, 28 Aug 2023 22:00:00 -0400
Subject: [PATCH 4/4] Update
 headers_tld_in_hops_with_authfailure_or_credtheft.yml

---
 .../headers_tld_in_hops_with_authfailure_or_credtheft.yml       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml b/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml
index bcb15a9259a..78351fb932a 100644
--- a/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml
+++ b/detection-rules/headers_tld_in_hops_with_authfailure_or_credtheft.yml
@@ -5,7 +5,7 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  and any(headers.domains, .tld in $suspicious_tlds)
+  and any(headers.domains, .tld in $suspicious_tlds and .tld != sender.email.domain.tld)
   // SPF Errors/Failures or DMARC Fail
   and (
     any(distinct(headers.hops, .received_spf.verdict is not null),