From b3471ce64d9cdc1788afe053f76c4f806801d761 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 20 Sep 2023 12:47:20 -0400 Subject: [PATCH 1/3] New Rule: Credential Phishing: Suspicious language, link, recipients and other indicators --- ...icious_language_undisclosed_recipients.yml | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 detection-rules/link_suspicious_language_undisclosed_recipients.yml diff --git a/detection-rules/link_suspicious_language_undisclosed_recipients.yml b/detection-rules/link_suspicious_language_undisclosed_recipients.yml new file mode 100644 index 00000000000..ccceac21d85 --- /dev/null +++ b/detection-rules/link_suspicious_language_undisclosed_recipients.yml @@ -0,0 +1,54 @@ +name: "Credential Phishing: Suspicious language, link, recipients and other indicators" +description: | + The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from a first-time sender. +references: + +type: "rule" +severity: "medium" +source: | + type.inbound + + // no recipients defined + and (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients")) + and length(recipients.cc) == 0 + and length(recipients.bcc) == 0 + + and any(body.links, + + // suspicious link + // we've particularly seen 1drv.ms abused + // if using the full list causes FPs, we can reduce the + // scope to a hard-coded list or add exclusions + ( + .href_url.domain.domain in $free_file_hosts + or .href_url.domain.root_domain in $free_subdomain_hosts + ) + + // link text is in all caps + and regex.match(.display_text, "[A-Z ]+") + ) + + // any confidence cred_theft classification + and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "cred_theft") + + // 'org' entity is in all caps + and any(ml.nlu_classifier(body.current_thread.text).entities, + .name == "org" and regex.match(.text, "[A-Z ]+") + ) + + // subject is in all caps + and regex.match(subject.subject, "[A-Z ]+") + + // first-time sender + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) + ) +tags: + \ No newline at end of file From 4b4f526305b5a8859b0b56af6d29725966d5ce73 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 20 Sep 2023 12:49:22 -0400 Subject: [PATCH 2/3] New Rule: link_suspicious_language_undisclosed_recipients.yml --- ..._suspicious_language_undisclosed_recipients.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/detection-rules/link_suspicious_language_undisclosed_recipients.yml b/detection-rules/link_suspicious_language_undisclosed_recipients.yml index ccceac21d85..13fe29bfc35 100644 --- a/detection-rules/link_suspicious_language_undisclosed_recipients.yml +++ b/detection-rules/link_suspicious_language_undisclosed_recipients.yml @@ -1,8 +1,6 @@ name: "Credential Phishing: Suspicious language, link, recipients and other indicators" description: | The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from a first-time sender. -references: - type: "rule" severity: "medium" source: | @@ -50,5 +48,13 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - \ No newline at end of file +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Sender analysis" + - "URL analysis" From 5b4c5bd29e06754e6f71c857824f67a50726f693 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Wed, 20 Sep 2023 16:51:12 +0000 Subject: [PATCH 3/3] Auto add rule ID --- .../link_suspicious_language_undisclosed_recipients.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/link_suspicious_language_undisclosed_recipients.yml b/detection-rules/link_suspicious_language_undisclosed_recipients.yml index 13fe29bfc35..7fcb7a130ba 100644 --- a/detection-rules/link_suspicious_language_undisclosed_recipients.yml +++ b/detection-rules/link_suspicious_language_undisclosed_recipients.yml @@ -58,3 +58,4 @@ detection_methods: - "Natural Language Understanding" - "Sender analysis" - "URL analysis" +id: "dcb39190-7ea1-5e82-8d6b-0242affdb6e3"