Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Rule: Credential Phishing: Image as content, short or no body contents #771

Merged
merged 5 commits into from
Sep 8, 2023
Merged

New Rule: Credential Phishing: Image as content, short or no body contents #771

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2bcac7a
New Rule: Credential Theft: Image as content, short or no body contents
morriscode Sep 5, 2023
41452b1
Update attachment_credential_phishing_image_as_content.yml
morriscode Sep 5, 2023
ee54b63
Auto add rule ID
Sep 5, 2023
39197c1
Merge branch 'main' into sam.image.as.content.credphish
morriscode Sep 7, 2023
385b4e3
Merge branch 'main' into sam.image.as.content.credphish
morriscode Sep 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions detection-rules/attachment_credential_phishing_image_as_content.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: "Credential Phishing: Image as content, short or no body contents"
description: |
This rule identifies incoming messages with minimal links, all image attachments and either empty, brief
or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition
to high-confidence credit theft intentions.
type: "rule"
severity: "medium"
source: |
type.inbound
and length(body.links) < 2
and 0 < (length(attachments)) < 3
and (
// body text is very short
(
0 <= (length(body.current_thread.text)) < 10 or body.current_thread.text is null
)
or (
length(body.current_thread.text) < 900
// or body is most likely all warning banner (text contains the sender and common warning banner language)
and (
(
strings.contains(body.current_thread.text, sender.email.email)
and strings.contains(body.current_thread.text, 'caution')
)
or regex.icontains(body.current_thread.text,
"intended recipient's use only|external email|sent from outside|you don't often"
)
)
)
)
and (
all(attachments,
(.file_type in $file_types_images)
and (
any(file.explode(.),
any(.scan.exiftool.fields, .value == "Truncated PNG image")
or (
any(ml.logo_detect(..).brands, .name is not null)
and any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence == "high"
)
)
)
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Image as content"
detection_methods:
- "Computer Vision"
- "Content analysis"
- "File analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Optical Character Recognition"
id: "01313f38-d0d1-5240-b407-8f9158639277"