Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating rule: link_microsoft_low_reputation.yml #778

Closed
wants to merge 5 commits into from
Closed

Updating rule: link_microsoft_low_reputation.yml #778

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0b951a3
Updating rule: link_microsoft_low_reputation.yml
aidenmitchell Sep 7, 2023
8499302
Update link_microsoft_low_reputation.yml
aidenmitchell Sep 8, 2023
a78b0e0
Adding org_domains check
aidenmitchell Sep 13, 2023
5d2667b
Update link_microsoft_low_reputation.yml
aidenmitchell Sep 13, 2023
bff8e63
Merge branch 'main' into patch-50
aidenmitchell Sep 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 7 additions & 8 deletions detection-rules/link_microsoft_low_reputation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,11 @@ source: |
// suspicious link
and any(body.links,
(
.href_url.domain.root_domain not in $tranco_1m
.href_url.domain.domain not in $tranco_1m
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.domain in $url_shorteners
or

// mass mailer link, masks the actual URL
.href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net")

Expand All @@ -22,22 +21,22 @@ source: |
and strings.starts_with(.href_url.path, "/amp/")
)
)

// exclude sources of potential FPs
and .href_url.domain.root_domain not in (
"svc.ms",
"sharepoint.com",
"1drv.ms",
"microsoft.com"
)
and .href_url.domain.root_domain not in $org_domains
)

// not a reply
and (
length(headers.references) == 0
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)

// Microsoft logo
and (
any(attachments,
Expand All @@ -46,7 +45,7 @@ source: |
)
or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft"))
)

// suspicious content
and (
(
Expand Down Expand Up @@ -110,18 +109,18 @@ source: |
or any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft")
any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft" and .confidence in~ ("medium", "high"))
)
)
or (
any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency")
and not any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
and any(ml.nlu_classifier(body.current_thread.text).intents, .name not in~ ("benign", "unknown")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aidenmitchell does this need to be an all to match our previous behavior? as written, we could get a benign:high and cred_theft:low and still flag here

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we could get a benign and cred_theft intent, because we're only evaluating one thing, body.current_thread.text?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.intents is an array because i think we can return multiple with different confidence levels, but @bfilar can confirm

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so if the model returns benign that would be the only intent we return. If benign is not present in intent array would could return something like: (cred_theft,steal_pii)

)
)
)
and sender.email.domain.root_domain not in (
"bing.com",
"cloudappsecurity.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
Expand Down