diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml index 3579bb944e5..5e467937174 100644 --- a/detection-rules/link_microsoft_low_reputation.yml +++ b/detection-rules/link_microsoft_low_reputation.yml @@ -3,134 +3,139 @@ description: "Detects low reputation links with Microsoft specific indicators in type: "rule" severity: "medium" source: | - type.inbound - // suspicious link - and any(body.links, - ( - .href_url.domain.root_domain not in $tranco_1m - or .href_url.domain.domain in $free_file_hosts - or .href_url.domain.root_domain in $free_subdomain_hosts - or .href_url.domain.domain in $url_shorteners - or - - // mass mailer link, masks the actual URL - .href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net") - - // Google AMP redirect - or ( - .href_url.domain.sld == "google" - and strings.starts_with(.href_url.path, "/amp/") - ) - ) - - // exclude sources of potential FPs - and .href_url.domain.root_domain not in ( - "svc.ms", - "sharepoint.com", - "1drv.ms", - "microsoft.com" - ) - ) - - // not a reply - and ( - length(headers.references) == 0 - or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) - ) - - // Microsoft logo - and ( - any(attachments, - .file_type in $file_types_images - and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft")) - ) - or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft")) - ) - - // suspicious content - and ( - ( - strings.ilike(body.plain.raw, - "*password*", - "*document*", - "*voicemail*", - "*cache*", - "*fax*", - "*storage*", - "*quota*", - "*messages*" - ) - and strings.ilike(body.plain.raw, - "*terminated*", - "*review*", - "*expire*", - "*click*", - "*view*", - "*exceed*", - "*clear*", - "*only works*", - "*failed*", - "*deleted*" - ) - ) - or ( - any(attachments, + type.inbound + // suspicious link + and any(body.links, + ( + .href_url.domain.root_domain not in $tranco_1m + or .href_url.domain.domain in $free_file_hosts + or .href_url.domain.root_domain in $free_subdomain_hosts + or .href_url.domain.domain in $url_shorteners + or + + // mass mailer link, masks the actual URL + .href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net") + + // Google AMP redirect + or (.href_url.domain.sld == "google" and strings.starts_with(.href_url.path, "/amp/")) + ) + + // exclude sources of potential FPs + and ( + .href_url.domain.root_domain not in ( + "svc.ms", + "sharepoint.com", + "1drv.ms", + "microsoft.com", + "aka.ms", + "msftauthimages.net" + ) + or any(body.links, .href_url.domain.domain in $free_file_hosts) + ) + ) + + // not a reply + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) + + // Microsoft logo + and ( + any(attachments, + .file_type in $file_types_images + and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft")) + ) + or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft")) + ) + + // suspicious content + and ( + ( + strings.ilike(body.plain.raw, + "*password*", + "*document*", + "*voicemail*", + "*cache*", + "*fax*", + "*storage*", + "*quota*", + "*messages*" + ) + and strings.ilike(body.plain.raw, + "*terminated*", + "*review*", + "*expire*", + "*click*", + "*view*", + "*exceed*", + "*clear*", + "*only works*", + "*failed*", + "*deleted*" + ) + ) + or ( + any(attachments, + .file_type in $file_types_images + and any(file.explode(.), + strings.ilike(.scan.ocr.raw, + "*password*", + "*document*", + "*voicemail*", + "*cache*", + "*fax*", + "*storage*", + "*quota*", + "*messages*" + ) + and strings.ilike(.scan.ocr.raw, + "*terminated*", + "*review*", + "*expire*", + "*click*", + "*view*", + "*exceed*", + "*clear*", + "*only works*", + "*failed*", + "*deleted*" + ) + ) + ) + ) + ) + and ( + any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "cred_theft" and .confidence in~ ("medium", "high") + ) + or any(attachments, .file_type in $file_types_images and any(file.explode(.), - strings.ilike(.scan.ocr.raw, - "*password*", - "*document*", - "*voicemail*", - "*cache*", - "*fax*", - "*storage*", - "*quota*", - "*messages*" - ) - and strings.ilike(.scan.ocr.raw, - "*terminated*", - "*review*", - "*expire*", - "*click*", - "*view*", - "*exceed*", - "*clear*", - "*only works*", - "*failed*", - "*deleted*" + any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "cred_theft" and .confidence in ("medium", "high") ) ) - ) - ) - ) - and ( - any(ml.nlu_classifier(body.html.inner_text).intents, - .name == "cred_theft" and .confidence in~ ("medium", "high") - ) - or any(attachments, - .file_type in $file_types_images - and any(file.explode(.), - any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft") - ) - ) - or ( - any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency") - and not any(ml.nlu_classifier(body.current_thread.text).intents, - .name == "benign" and .confidence == "high" - ) - ) - ) - and sender.email.domain.root_domain not in ( - "bing.com", - "microsoft.com", - "microsoftonline.com", - "microsoftsupport.com", - "microsoft365.com", - "office.com", - "onedrive.com", - "sharepointonline.com", - "yammer.com" - ) + ) + or ( + any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency") + and not any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "benign" and .confidence == "high" + ) + ) + ) + and sender.email.domain.root_domain not in ( + "bing.com", + "microsoft.com", + "microsoftonline.com", + "microsoftsupport.com", + "microsoft365.com", + "office.com", + "onedrive.com", + "sharepointonline.com", + "yammer.com" + ) + attack_types: - "Credential Phishing" tactics_and_techniques: