Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Rule: Credential Phishing: Suspicious language, link, recipients and other indicators #804

Merged
merged 3 commits into from
Sep 20, 2023
Merged

New Rule: Credential Phishing: Suspicious language, link, recipients and other indicators #804

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b3471ce
New Rule: Credential Phishing: Suspicious language, link, recipients …
morriscode Sep 20, 2023
4b4f526
New Rule: link_suspicious_language_undisclosed_recipients.yml
morriscode Sep 20, 2023
5b4c5bd
Auto add rule ID
Sep 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions detection-rules/link_suspicious_language_undisclosed_recipients.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
name: "Credential Phishing: Suspicious language, link, recipients and other indicators"
description: |
The rule flags inbound messages with no visible recipients, contain all-caps text, and include links from certain free hosts. It also checks for signs of credential theft using machine learning classifiers and is from a first-time sender.
type: "rule"
severity: "medium"
source: |
type.inbound

// no recipients defined
and (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients"))
and length(recipients.cc) == 0
and length(recipients.bcc) == 0

and any(body.links,

// suspicious link
// we've particularly seen 1drv.ms abused
// if using the full list causes FPs, we can reduce the
// scope to a hard-coded list or add exclusions
(
.href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
)

// link text is in all caps
and regex.match(.display_text, "[A-Z ]+")
)

// any confidence cred_theft classification
and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "cred_theft")

// 'org' entity is in all caps
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org" and regex.match(.text, "[A-Z ]+")
)

// subject is in all caps
and regex.match(subject.subject, "[A-Z ]+")

// first-time sender
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Sender analysis"
- "URL analysis"
id: "dcb39190-7ea1-5e82-8d6b-0242affdb6e3"
Loading