From 3a298ab5a85ee8224669dd0e57e69b727046a040 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 19 Sep 2023 17:07:54 -0400 Subject: [PATCH] FP Tune: Update link_credential_phishing_secure_message.yml Negating known secure mailers --- .../link_credential_phishing_secure_message.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/detection-rules/link_credential_phishing_secure_message.yml b/detection-rules/link_credential_phishing_secure_message.yml index 4cf9ed06d0b..60f0fe56787 100644 --- a/detection-rules/link_credential_phishing_secure_message.yml +++ b/detection-rules/link_credential_phishing_secure_message.yml @@ -8,26 +8,28 @@ source: | and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "cred_theft" and .confidence == "high" ) - + // ----- other suspicious signals here ----- and strings.icontains(body.html.display_text, "secure message") - + // todo: automated display name / human local part // todo: suspicious link (unfurl click trackers) - + // ---------- - + // has at least 1 link and length(body.links) > 0 - + // negate legitimate message senders and ( sender.email.domain.root_domain not in ("protectedtrust.com") and any(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain ) + // Negate known secure mailer(s) + and not all(body.links, .href_url.domain.root_domain in ("mimecast.com")) ) - + // first-time sender and ( (