From 20282ba178ecf894c464a7865146d9d96c72af26 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 22 Sep 2023 12:55:16 -0400 Subject: [PATCH 01/23] Third time is a charm --- .../attachment_adobe_image_lure_fts.yml | 9 +++------ ...achment_any_html_in_archive_unsolicited.yml | 9 +++------ .../attachment_any_html_new_sender.yml | 9 +++------ .../attachment_any_html_unsolicited.yml | 9 +++------ .../attachment_callback_phish_with_img.yml | 9 +++------ .../attachment_callback_phish_with_pdf.yml | 9 +++------ ...achment_docusign_image_suspicious_links.yml | 9 +++------ ...tachment_dropbox_image_suspicious_links.yml | 9 +++------ detection-rules/attachment_eml_cred_theft.yml | 9 +++------ .../attachment_eml_with_html_attachment.yml | 9 +++------ ...chment_emotet_heavily_padded_doc_in_zip.yml | 9 +++------ .../attachment_encrypted_ole_unsolicited.yml | 9 +++------ .../attachment_html_attachment_login_page.yml | 9 +++------ ...hment_html_smuggling_double_encoded_zip.yml | 9 +++------ ...achment_html_smuggling_microsoft_signin.yml | 9 +++------ .../attachment_js_file_execution.yml | 9 +++------ detection-rules/attachment_malwarebazaar.yml | 9 +++------ .../attachment_mht_embedded_vbscript.yml | 9 +++------ ...attachment_microsoft_image_lure_qr_code.yml | 9 +++------ detection-rules/attachment_office365_image.yml | 9 +++------ ...ent_office_file_relationship_cred_theft.yml | 9 +++------ detection-rules/attachment_pdf_link_to_dmg.yml | 9 +++------ ..._pdf_linking_to_password_protected_file.yml | 9 +++------ ...low_reputation_link_to_suspicious_files.yml | 9 +++------ ...df_with_low_reputation_link_to_zip_file.yml | 9 +++------ .../attachment_soliciting_enable_macros.yml | 9 +++------ ..._suspicious_vba_macro_first_time_sender.yml | 9 +++------ detection-rules/attachment_svg_embedded_js.yml | 9 +++------ ...achment_vba_macro_auto_exec_unsolicited.yml | 9 +++------ ...achment_vba_macro_auto_open_unsolicited.yml | 9 +++------ ...chment_vba_macro_employee_impersonation.yml | 9 +++------ .../attachment_vba_macro_high_risk.yml | 9 +++------ ...tachment_with_encrypted_zip_unsolicited.yml | 9 +++------ ...ment_with_suspicious_author_unsolicited.yml | 9 +++------ ..._with_unknown_encrypted_zip_unsolicited.yml | 9 +++------ ...dy_business_email_compromise_new_sender.yml | 9 +++------ ...y_business_email_compromise_unsolicited.yml | 9 +++------ .../body_callback_phishing_no_attachment.yml | 9 +++------ detection-rules/body_job_scam_new_sender.yml | 9 +++------ ...llback_phishing_nlu_body_or_attachments.yml | 9 +++------ ...ring_link_from_suspicious_sender_domain.yml | 9 +++------ .../file_sharing_link_suspicious_subject.yml | 9 +++------ ...ed_recipients_no_links_freemail_replyto.yml | 9 +++------ .../headers_replyto_new_domain_nlu_request.yml | 9 +++------ detection-rules/headers_russia_return_path.yml | 9 +++------ .../impersonation_amazon_suspicious_text.yml | 9 +++------ detection-rules/impersonation_barracuda.yml | 13 +++++-------- detection-rules/impersonation_chase.yml | 13 +++++-------- detection-rules/impersonation_dhl.yml | 9 +++------ detection-rules/impersonation_docusign.yml | 9 +++------ .../impersonation_employee_payroll_fraud.yml | 9 +++------ .../impersonation_employee_subject.yml | 9 +++------ .../impersonation_employee_urgent_request.yml | 9 +++------ ...thread_mismatched_from_freemail_replyto.yml | 9 +++------ detection-rules/impersonation_finra.yml | 9 +++------ detection-rules/impersonation_github.yml | 9 +++------ .../impersonation_human_resources.yml | 9 +++------ detection-rules/impersonation_microsoft.yml | 9 +++------ detection-rules/impersonation_paypal.yml | 9 +++------ .../impersonation_recipient_domain.yml | 9 +++------ ...ation_recipient_sld_in_sender_local_fts.yml | 9 +++------ detection-rules/impersonation_ripple.yml | 9 +++------ detection-rules/impersonation_spotify.yml | 9 +++------ detection-rules/impersonation_stellar.yml | 9 +++------ .../impersonation_sublime_security.yml | 9 +++------ .../impersonation_vip_urgent_request.yml | 9 +++------ detection-rules/inline_image_as_message.yml | 9 +++------ detection-rules/link_credential_phishing.yml | 9 +++------ ...al_phishing_intent_and_other_indicators.yml | 9 +++------ ...link_credential_phishing_secure_message.yml | 9 +++------ ...shing_suspicious_sender_tld_and_signals.yml | 9 +++------ ..._credential_phishing_voicemail_language.yml | 9 +++------ ...nk_download_disk_image_in_encrypted_zip.yml | 9 +++------ .../link_download_suspicious_file.yml | 9 +++------ .../link_fake_fax_low_reputation.yml | 9 +++------ .../link_google_apps_script_macro.yml | 9 +++------ detection-rules/link_google_translate.yml | 9 +++------ ...link_html_smuggling_with_adobe_branding.yml | 9 +++------ ...ml_smuggling_with_google_drive_branding.yml | 9 +++------ detection-rules/link_ipfs_phishing.yml | 9 +++------ detection-rules/link_login_or_captcha.yml | 9 +++------ .../link_microsoft_device_code_phish.yml | 9 +++------ ...icrosoft_impersonation_using_hosted_png.yml | 9 +++------ ...nk_new_domain_in_link_first_time_sender.yml | 9 +++------ detection-rules/link_notion_file_share.yml | 9 +++------ .../link_qr_code_suspicious_language_fts.yml | 9 +++------ ...picious_language_undisclosed_recipients.yml | 9 +++------ ...s_campaign_recipient_address_new_sender.yml | 9 +++------ detection-rules/open_redirect_avast.yml | 9 +++------ ...ipients_undisclosed_free_subdomain_host.yml | 9 +++------ ...ender_new_from_domain_first_time_sender.yml | 9 +++------ ...gn_excessive_display_text_with_keywords.yml | 9 +++------ detection-rules/spam_new_domain_emojis.yml | 9 +++------ detection-rules/spam_url_shortener_emojis.yml | 9 +++------ ..._impersonation_attack_surface_reduction.yml | 18 ++++++------------ 95 files changed, 292 insertions(+), 580 deletions(-) diff --git a/detection-rules/attachment_adobe_image_lure_fts.yml b/detection-rules/attachment_adobe_image_lure_fts.yml index 78125362de3..7ebf6e6e729 100644 --- a/detection-rules/attachment_adobe_image_lure_fts.yml +++ b/detection-rules/attachment_adobe_image_lure_fts.yml @@ -20,13 +20,10 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_any_html_in_archive_unsolicited.yml b/detection-rules/attachment_any_html_in_archive_unsolicited.yml index ddf0659e54e..30a50f50846 100644 --- a/detection-rules/attachment_any_html_in_archive_unsolicited.yml +++ b/detection-rules/attachment_any_html_in_archive_unsolicited.yml @@ -14,13 +14,10 @@ source: | and any(file.explode(.), .depth > 0 and .file_extension in~ ("html", "htm")) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/attachment_any_html_new_sender.yml b/detection-rules/attachment_any_html_new_sender.yml index cc22e73e915..881e39ae6d0 100644 --- a/detection-rules/attachment_any_html_new_sender.yml +++ b/detection-rules/attachment_any_html_new_sender.yml @@ -14,13 +14,10 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml index 075feda5569..98540568841 100644 --- a/detection-rules/attachment_any_html_unsolicited.yml +++ b/detection-rules/attachment_any_html_unsolicited.yml @@ -14,13 +14,10 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/attachment_callback_phish_with_img.yml b/detection-rules/attachment_callback_phish_with_img.yml index e9ce44623c7..226f8e5567e 100644 --- a/detection-rules/attachment_callback_phish_with_img.yml +++ b/detection-rules/attachment_callback_phish_with_img.yml @@ -10,13 +10,10 @@ severity: "high" source: | type.inbound and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) and sender.email.domain.root_domain in $free_email_providers diff --git a/detection-rules/attachment_callback_phish_with_pdf.yml b/detection-rules/attachment_callback_phish_with_pdf.yml index 1b6f24a320b..4a9180c1df3 100644 --- a/detection-rules/attachment_callback_phish_with_pdf.yml +++ b/detection-rules/attachment_callback_phish_with_pdf.yml @@ -8,13 +8,10 @@ severity: "high" source: | type.inbound and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml index 514b82554c1..d70d88ddbcd 100644 --- a/detection-rules/attachment_docusign_image_suspicious_links.yml +++ b/detection-rules/attachment_docusign_image_suspicious_links.yml @@ -26,13 +26,10 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_dropbox_image_suspicious_links.yml b/detection-rules/attachment_dropbox_image_suspicious_links.yml index 1de0a856b31..c8e09723e63 100644 --- a/detection-rules/attachment_dropbox_image_suspicious_links.yml +++ b/detection-rules/attachment_dropbox_image_suspicious_links.yml @@ -14,13 +14,10 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_eml_cred_theft.yml b/detection-rules/attachment_eml_cred_theft.yml index a85a54f7777..cd9516fac1b 100644 --- a/detection-rules/attachment_eml_cred_theft.yml +++ b/detection-rules/attachment_eml_cred_theft.yml @@ -32,13 +32,10 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_eml_with_html_attachment.yml b/detection-rules/attachment_eml_with_html_attachment.yml index 68fac95489f..5d83a8a48d0 100644 --- a/detection-rules/attachment_eml_with_html_attachment.yml +++ b/detection-rules/attachment_eml_with_html_attachment.yml @@ -43,13 +43,10 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml b/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml index b23bcff7ba2..3f0782d363c 100644 --- a/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml +++ b/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml @@ -19,13 +19,10 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/attachment_encrypted_ole_unsolicited.yml b/detection-rules/attachment_encrypted_ole_unsolicited.yml index 6e591479b56..90bc95fa39a 100644 --- a/detection-rules/attachment_encrypted_ole_unsolicited.yml +++ b/detection-rules/attachment_encrypted_ole_unsolicited.yml @@ -13,13 +13,10 @@ source: | and file.oletools(.).indicators.encryption.exists ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_html_attachment_login_page.yml b/detection-rules/attachment_html_attachment_login_page.yml index 6f720efda3f..86267c2c615 100644 --- a/detection-rules/attachment_html_attachment_login_page.yml +++ b/detection-rules/attachment_html_attachment_login_page.yml @@ -70,13 +70,10 @@ source: | ) // Unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_html_smuggling_double_encoded_zip.yml b/detection-rules/attachment_html_smuggling_double_encoded_zip.yml index d1d56ea9890..dfa2caec04d 100644 --- a/detection-rules/attachment_html_smuggling_double_encoded_zip.yml +++ b/detection-rules/attachment_html_smuggling_double_encoded_zip.yml @@ -13,13 +13,10 @@ authors: source: | type.inbound and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) and any(attachments, diff --git a/detection-rules/attachment_html_smuggling_microsoft_signin.yml b/detection-rules/attachment_html_smuggling_microsoft_signin.yml index 5bc76594293..9edceef1f6b 100644 --- a/detection-rules/attachment_html_smuggling_microsoft_signin.yml +++ b/detection-rules/attachment_html_smuggling_microsoft_signin.yml @@ -25,13 +25,10 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) // allow Microsoft domains just to be safe diff --git a/detection-rules/attachment_js_file_execution.yml b/detection-rules/attachment_js_file_execution.yml index 642e8a53016..38c9cfd2053 100644 --- a/detection-rules/attachment_js_file_execution.yml +++ b/detection-rules/attachment_js_file_execution.yml @@ -17,13 +17,10 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/attachment_malwarebazaar.yml b/detection-rules/attachment_malwarebazaar.yml index 96091611291..b8a5be43491 100644 --- a/detection-rules/attachment_malwarebazaar.yml +++ b/detection-rules/attachment_malwarebazaar.yml @@ -6,13 +6,10 @@ source: | type.inbound and any(attachments, .sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/attachment_mht_embedded_vbscript.yml b/detection-rules/attachment_mht_embedded_vbscript.yml index dd75945472b..8194fdf9a7c 100644 --- a/detection-rules/attachment_mht_embedded_vbscript.yml +++ b/detection-rules/attachment_mht_embedded_vbscript.yml @@ -17,13 +17,10 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml index 893ce305af0..1409285a68d 100644 --- a/detection-rules/attachment_microsoft_image_lure_qr_code.yml +++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml @@ -37,13 +37,10 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_office365_image.yml b/detection-rules/attachment_office365_image.yml index 012788a6b7a..e1b97415dab 100644 --- a/detection-rules/attachment_office365_image.yml +++ b/detection-rules/attachment_office365_image.yml @@ -56,13 +56,10 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_office_file_relationship_cred_theft.yml b/detection-rules/attachment_office_file_relationship_cred_theft.yml index bf5dd44065f..165654bdc53 100644 --- a/detection-rules/attachment_office_file_relationship_cred_theft.yml +++ b/detection-rules/attachment_office_file_relationship_cred_theft.yml @@ -23,13 +23,10 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_pdf_link_to_dmg.yml b/detection-rules/attachment_pdf_link_to_dmg.yml index da3da87d685..5a7cf4357e3 100644 --- a/detection-rules/attachment_pdf_link_to_dmg.yml +++ b/detection-rules/attachment_pdf_link_to_dmg.yml @@ -43,13 +43,10 @@ source: | // first time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/attachment_pdf_linking_to_password_protected_file.yml b/detection-rules/attachment_pdf_linking_to_password_protected_file.yml index ee11e2e24b8..0e67b35b16f 100644 --- a/detection-rules/attachment_pdf_linking_to_password_protected_file.yml +++ b/detection-rules/attachment_pdf_linking_to_password_protected_file.yml @@ -19,13 +19,10 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml index c89d21b1247..00a82837ed2 100644 --- a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml +++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml @@ -19,13 +19,10 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml index b198d9f3d6b..4d5ef5a96d2 100644 --- a/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml +++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml @@ -20,13 +20,10 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/attachment_soliciting_enable_macros.yml b/detection-rules/attachment_soliciting_enable_macros.yml index 3ba77138bc1..070526614d1 100644 --- a/detection-rules/attachment_soliciting_enable_macros.yml +++ b/detection-rules/attachment_soliciting_enable_macros.yml @@ -19,13 +19,10 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml index c76d0b80421..cbfbae97364 100644 --- a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml +++ b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml @@ -11,13 +11,10 @@ source: | and ml.macro_classifier(.).confidence in ("high") ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_svg_embedded_js.yml b/detection-rules/attachment_svg_embedded_js.yml index 0daca577a33..db0f5ca3850 100644 --- a/detection-rules/attachment_svg_embedded_js.yml +++ b/detection-rules/attachment_svg_embedded_js.yml @@ -24,13 +24,10 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml index 37e28fd0864..ad0d26e90cf 100644 --- a/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml +++ b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml @@ -14,13 +14,10 @@ source: | and any(file.oletools(.).macros.keywords, .type =~ "autoexec") ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml index 15d1abef2b1..54e7c4208f9 100644 --- a/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml +++ b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml @@ -15,13 +15,10 @@ source: | and any(file.explode(.), any(.scan.vba.auto_exec, . == "AutoOpen")) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_vba_macro_employee_impersonation.yml b/detection-rules/attachment_vba_macro_employee_impersonation.yml index 56297c4fc66..9b050074c1a 100644 --- a/detection-rules/attachment_vba_macro_employee_impersonation.yml +++ b/detection-rules/attachment_vba_macro_employee_impersonation.yml @@ -21,13 +21,10 @@ source: | and file.oletools(.).indicators.vba_macros.exists ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_vba_macro_high_risk.yml b/detection-rules/attachment_vba_macro_high_risk.yml index 87e0802a0d1..b3500a0270b 100644 --- a/detection-rules/attachment_vba_macro_high_risk.yml +++ b/detection-rules/attachment_vba_macro_high_risk.yml @@ -12,13 +12,10 @@ source: | and file.oletools(.).indicators.vba_macros.risk == "high" ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_with_encrypted_zip_unsolicited.yml b/detection-rules/attachment_with_encrypted_zip_unsolicited.yml index 02c3d167ed8..4c05b3bcbe9 100644 --- a/detection-rules/attachment_with_encrypted_zip_unsolicited.yml +++ b/detection-rules/attachment_with_encrypted_zip_unsolicited.yml @@ -12,13 +12,10 @@ source: | and any(file.explode(.), any(.flavors.yara, . == 'encrypted_zip')) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_with_suspicious_author_unsolicited.yml b/detection-rules/attachment_with_suspicious_author_unsolicited.yml index b1a0aefa868..6f56408f68e 100644 --- a/detection-rules/attachment_with_suspicious_author_unsolicited.yml +++ b/detection-rules/attachment_with_suspicious_author_unsolicited.yml @@ -13,13 +13,10 @@ source: | and any(file.explode(.), strings.ilike(.scan.docx.author, "root")) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml b/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml index ea490e8480e..d482759c61f 100644 --- a/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml +++ b/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml @@ -16,13 +16,10 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml index 16fb9df2d5f..b71fcbe7dcc 100644 --- a/detection-rules/body_business_email_compromise_new_sender.yml +++ b/detection-rules/body_business_email_compromise_new_sender.yml @@ -23,13 +23,10 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/body_business_email_compromise_unsolicited.yml b/detection-rules/body_business_email_compromise_unsolicited.yml index a3181b43bd8..0b26b358674 100644 --- a/detection-rules/body_business_email_compromise_unsolicited.yml +++ b/detection-rules/body_business_email_compromise_unsolicited.yml @@ -45,13 +45,10 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/body_callback_phishing_no_attachment.yml b/detection-rules/body_callback_phishing_no_attachment.yml index b946d070b17..5baf207e6b7 100644 --- a/detection-rules/body_callback_phishing_no_attachment.yml +++ b/detection-rules/body_callback_phishing_no_attachment.yml @@ -9,13 +9,10 @@ source: | type.inbound and length(attachments) == 0 and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) and sender.email.domain.root_domain in $free_email_providers diff --git a/detection-rules/body_job_scam_new_sender.yml b/detection-rules/body_job_scam_new_sender.yml index e8f38c799a2..550153f4a07 100644 --- a/detection-rules/body_job_scam_new_sender.yml +++ b/detection-rules/body_job_scam_new_sender.yml @@ -11,13 +11,10 @@ source: | and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial") ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml index 2eaa5c00728..cc93e434a53 100644 --- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml +++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml @@ -25,13 +25,10 @@ source: | and strings.icontains(body.html.raw, "bigcommerce.com") ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml b/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml index 025a1355b86..b6e4e668a06 100644 --- a/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml +++ b/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml @@ -8,13 +8,10 @@ source: | and any(body.links, .href_url.domain.domain in $free_file_hosts) and sender.email.domain.tld in $suspicious_tlds and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/file_sharing_link_suspicious_subject.yml b/detection-rules/file_sharing_link_suspicious_subject.yml index 88d8b23f04c..4c7f168d10c 100644 --- a/detection-rules/file_sharing_link_suspicious_subject.yml +++ b/detection-rules/file_sharing_link_suspicious_subject.yml @@ -18,13 +18,10 @@ source: | and regex.icontains(subject.subject, 'immediately', 'urgent') and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign") and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml b/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml index f255d1269da..fbd85453272 100644 --- a/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml +++ b/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml @@ -16,13 +16,10 @@ source: | and not .email.domain.domain == sender.email.domain.domain ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/headers_replyto_new_domain_nlu_request.yml b/detection-rules/headers_replyto_new_domain_nlu_request.yml index ca6fcd540c8..c2f610c3353 100644 --- a/detection-rules/headers_replyto_new_domain_nlu_request.yml +++ b/detection-rules/headers_replyto_new_domain_nlu_request.yml @@ -27,13 +27,10 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/headers_russia_return_path.yml b/detection-rules/headers_russia_return_path.yml index a1aa279d27f..18a0c30d820 100644 --- a/detection-rules/headers_russia_return_path.yml +++ b/detection-rules/headers_russia_return_path.yml @@ -8,13 +8,10 @@ source: | and headers.return_path.domain.tld == "ru" and sender.email.email not in $recipient_emails and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/impersonation_amazon_suspicious_text.yml b/detection-rules/impersonation_amazon_suspicious_text.yml index 018882fa9dc..787688af404 100644 --- a/detection-rules/impersonation_amazon_suspicious_text.yml +++ b/detection-rules/impersonation_amazon_suspicious_text.yml @@ -35,13 +35,10 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) and sender.email.domain.root_domain not in~ ( diff --git a/detection-rules/impersonation_barracuda.yml b/detection-rules/impersonation_barracuda.yml index ac9b348cb8c..fe14c733dfc 100644 --- a/detection-rules/impersonation_barracuda.yml +++ b/detection-rules/impersonation_barracuda.yml @@ -22,14 +22,11 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or ( + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives + ) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_chase.yml b/detection-rules/impersonation_chase.yml index 40990223d26..bb395d282f4 100644 --- a/detection-rules/impersonation_chase.yml +++ b/detection-rules/impersonation_chase.yml @@ -24,14 +24,11 @@ source: | and sender.display_name not in~ ("chaser", "case") and sender.email.domain.root_domain not in~ ('chase.com', 'united.com', 'transunion.com', 'shopping-chase.com') and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) + profile.by_sender().prevalence in ("new", "outlier") + or ( + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives + ) ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_dhl.yml b/detection-rules/impersonation_dhl.yml index 3fee425bae3..68a974d5102 100644 --- a/detection-rules/impersonation_dhl.yml +++ b/detection-rules/impersonation_dhl.yml @@ -26,13 +26,10 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/impersonation_docusign.yml b/detection-rules/impersonation_docusign.yml index 07d58391c7a..e60a1288116 100644 --- a/detection-rules/impersonation_docusign.yml +++ b/detection-rules/impersonation_docusign.yml @@ -53,13 +53,10 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/impersonation_employee_payroll_fraud.yml b/detection-rules/impersonation_employee_payroll_fraud.yml index 253133f8f10..4a7d299c552 100644 --- a/detection-rules/impersonation_employee_payroll_fraud.yml +++ b/detection-rules/impersonation_employee_payroll_fraud.yml @@ -25,13 +25,10 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/impersonation_employee_subject.yml b/detection-rules/impersonation_employee_subject.yml index 1897f23e05d..546e95e428d 100644 --- a/detection-rules/impersonation_employee_subject.yml +++ b/detection-rules/impersonation_employee_subject.yml @@ -17,13 +17,10 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/impersonation_employee_urgent_request.yml b/detection-rules/impersonation_employee_urgent_request.yml index 3f6978174c4..b8ffd8cc3cf 100644 --- a/detection-rules/impersonation_employee_urgent_request.yml +++ b/detection-rules/impersonation_employee_urgent_request.yml @@ -26,13 +26,10 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml b/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml index 126d35c2cd8..52d323aa579 100644 --- a/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml +++ b/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml @@ -11,13 +11,10 @@ source: | // First-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_finra.yml b/detection-rules/impersonation_finra.yml index 8922f317c38..1b8e6d23e9f 100644 --- a/detection-rules/impersonation_finra.yml +++ b/detection-rules/impersonation_finra.yml @@ -15,13 +15,10 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/impersonation_github.yml b/detection-rules/impersonation_github.yml index 8b3b3e79a5f..01ebb6359ab 100644 --- a/detection-rules/impersonation_github.yml +++ b/detection-rules/impersonation_github.yml @@ -29,13 +29,10 @@ source: | 'lithub.com' ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml index 96c9e0d6bdc..ae983554ab1 100644 --- a/detection-rules/impersonation_human_resources.yml +++ b/detection-rules/impersonation_human_resources.yml @@ -18,13 +18,10 @@ source: | and not length(ml.nlu_classifier(body.current_thread.text).intents) == 0 ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml index 19f7c44aa24..a76b3f93a14 100644 --- a/detection-rules/impersonation_microsoft.yml +++ b/detection-rules/impersonation_microsoft.yml @@ -45,13 +45,10 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_paypal.yml b/detection-rules/impersonation_paypal.yml index f8c180384a7..8ae92197782 100644 --- a/detection-rules/impersonation_paypal.yml +++ b/detection-rules/impersonation_paypal.yml @@ -55,13 +55,10 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/impersonation_recipient_domain.yml b/detection-rules/impersonation_recipient_domain.yml index d02e2a84f81..4d1ee53808b 100644 --- a/detection-rules/impersonation_recipient_domain.yml +++ b/detection-rules/impersonation_recipient_domain.yml @@ -34,13 +34,10 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml b/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml index 193fc25d260..07fdfe057b0 100644 --- a/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml +++ b/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml @@ -27,13 +27,10 @@ source: | ) and sender.email.domain.root_domain not in $org_domains and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/impersonation_ripple.yml b/detection-rules/impersonation_ripple.yml index da3450cfb57..9b961db504c 100644 --- a/detection-rules/impersonation_ripple.yml +++ b/detection-rules/impersonation_ripple.yml @@ -11,13 +11,10 @@ source: | and regex.imatch(sender.display_name, '\bripple\b') and sender.email.domain.root_domain not in ("ripple.com", "ripplejobs.co.uk") and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/impersonation_spotify.yml b/detection-rules/impersonation_spotify.yml index cfddbc55737..543243dec9b 100644 --- a/detection-rules/impersonation_spotify.yml +++ b/detection-rules/impersonation_spotify.yml @@ -22,13 +22,10 @@ source: | and sender.email.domain.domain not in~ ('privaterelay.appleid.com') // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/impersonation_stellar.yml b/detection-rules/impersonation_stellar.yml index 0a6c3a65b1e..12e88c0cd77 100644 --- a/detection-rules/impersonation_stellar.yml +++ b/detection-rules/impersonation_stellar.yml @@ -11,13 +11,10 @@ source: | and regex.imatch(sender.display_name, '\bstellar\b') and sender.email.domain.root_domain != "stellar.org" and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/impersonation_sublime_security.yml b/detection-rules/impersonation_sublime_security.yml index 092022258c8..f6e0cb1b2c6 100644 --- a/detection-rules/impersonation_sublime_security.yml +++ b/detection-rules/impersonation_sublime_security.yml @@ -14,13 +14,10 @@ source: | and sender.email.domain.domain != 'sublimesecurity.com' // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/impersonation_vip_urgent_request.yml b/detection-rules/impersonation_vip_urgent_request.yml index a0b24a6fd91..3d088726094 100644 --- a/detection-rules/impersonation_vip_urgent_request.yml +++ b/detection-rules/impersonation_vip_urgent_request.yml @@ -17,13 +17,10 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/inline_image_as_message.yml b/detection-rules/inline_image_as_message.yml index ce0948fce12..601121979f1 100644 --- a/detection-rules/inline_image_as_message.yml +++ b/detection-rules/inline_image_as_message.yml @@ -21,13 +21,10 @@ source: | ) and strings.ilike(body.html.raw, "*img*cid*") and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/link_credential_phishing.yml b/detection-rules/link_credential_phishing.yml index 214ae9fda81..576b26186cc 100644 --- a/detection-rules/link_credential_phishing.yml +++ b/detection-rules/link_credential_phishing.yml @@ -11,13 +11,10 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml index c564026ff9a..ffe72d80c6b 100644 --- a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml +++ b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml @@ -299,13 +299,10 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/link_credential_phishing_secure_message.yml b/detection-rules/link_credential_phishing_secure_message.yml index 60f0fe56787..40e316e48c7 100644 --- a/detection-rules/link_credential_phishing_secure_message.yml +++ b/detection-rules/link_credential_phishing_secure_message.yml @@ -32,13 +32,10 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml b/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml index f8d7ac3732c..1c79b89cc20 100644 --- a/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml +++ b/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml @@ -46,13 +46,10 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml index a5eb16d114e..e5e933d1b9b 100644 --- a/detection-rules/link_credential_phishing_voicemail_language.yml +++ b/detection-rules/link_credential_phishing_voicemail_language.yml @@ -53,13 +53,10 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/link_download_disk_image_in_encrypted_zip.yml b/detection-rules/link_download_disk_image_in_encrypted_zip.yml index 4d4019a331e..9eed870b15a 100644 --- a/detection-rules/link_download_disk_image_in_encrypted_zip.yml +++ b/detection-rules/link_download_disk_image_in_encrypted_zip.yml @@ -26,13 +26,10 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/link_download_suspicious_file.yml b/detection-rules/link_download_suspicious_file.yml index 969c0ef8cdb..6f4577bc732 100644 --- a/detection-rules/link_download_suspicious_file.yml +++ b/detection-rules/link_download_suspicious_file.yml @@ -35,13 +35,10 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/link_fake_fax_low_reputation.yml b/detection-rules/link_fake_fax_low_reputation.yml index 0974ab392d0..ba4a726097d 100644 --- a/detection-rules/link_fake_fax_low_reputation.yml +++ b/detection-rules/link_fake_fax_low_reputation.yml @@ -46,13 +46,10 @@ source: | // first time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/link_google_apps_script_macro.yml b/detection-rules/link_google_apps_script_macro.yml index 646a0a9f669..52c9e76c65e 100644 --- a/detection-rules/link_google_apps_script_macro.yml +++ b/detection-rules/link_google_apps_script_macro.yml @@ -13,13 +13,10 @@ source: | ) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/link_google_translate.yml b/detection-rules/link_google_translate.yml index e77a82d2eb9..fe9fbafe340 100644 --- a/detection-rules/link_google_translate.yml +++ b/detection-rules/link_google_translate.yml @@ -12,13 +12,10 @@ source: | type.inbound and any(body.links, .href_url.domain.root_domain == "translate.goog") and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/link_html_smuggling_with_adobe_branding.yml b/detection-rules/link_html_smuggling_with_adobe_branding.yml index 28d17dd563f..b17b150f056 100644 --- a/detection-rules/link_html_smuggling_with_adobe_branding.yml +++ b/detection-rules/link_html_smuggling_with_adobe_branding.yml @@ -27,13 +27,10 @@ source: | ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/link_html_smuggling_with_google_drive_branding.yml b/detection-rules/link_html_smuggling_with_google_drive_branding.yml index 0038b4ffdf7..bb9dafb7d69 100644 --- a/detection-rules/link_html_smuggling_with_google_drive_branding.yml +++ b/detection-rules/link_html_smuggling_with_google_drive_branding.yml @@ -32,13 +32,10 @@ source: | ) // Unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/link_ipfs_phishing.yml b/detection-rules/link_ipfs_phishing.yml index bb6973c2c02..68a62913c73 100644 --- a/detection-rules/link_ipfs_phishing.yml +++ b/detection-rules/link_ipfs_phishing.yml @@ -33,13 +33,10 @@ source: | // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/link_login_or_captcha.yml b/detection-rules/link_login_or_captcha.yml index 5e9aed2b023..b96ca9291b4 100644 --- a/detection-rules/link_login_or_captcha.yml +++ b/detection-rules/link_login_or_captcha.yml @@ -31,13 +31,10 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/link_microsoft_device_code_phish.yml b/detection-rules/link_microsoft_device_code_phish.yml index 6553b9b081d..afa4534ec81 100644 --- a/detection-rules/link_microsoft_device_code_phish.yml +++ b/detection-rules/link_microsoft_device_code_phish.yml @@ -35,13 +35,10 @@ source: | // Unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/link_microsoft_impersonation_using_hosted_png.yml b/detection-rules/link_microsoft_impersonation_using_hosted_png.yml index 1469d86d458..d7ee230bd5b 100644 --- a/detection-rules/link_microsoft_impersonation_using_hosted_png.yml +++ b/detection-rules/link_microsoft_impersonation_using_hosted_png.yml @@ -35,13 +35,10 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/link_new_domain_in_link_first_time_sender.yml b/detection-rules/link_new_domain_in_link_first_time_sender.yml index ea1ed146a45..b03dbdc0f78 100644 --- a/detection-rules/link_new_domain_in_link_first_time_sender.yml +++ b/detection-rules/link_new_domain_in_link_first_time_sender.yml @@ -8,13 +8,10 @@ source: | and length(body.links) > 0 and any(body.links, beta.whois(.href_url.domain).days_old <= 10) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/link_notion_file_share.yml b/detection-rules/link_notion_file_share.yml index 8491cd00bac..435bfa75f58 100644 --- a/detection-rules/link_notion_file_share.yml +++ b/detection-rules/link_notion_file_share.yml @@ -46,13 +46,10 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml index cdae99e81c3..a465d2ab745 100644 --- a/detection-rules/link_qr_code_suspicious_language_fts.yml +++ b/detection-rules/link_qr_code_suspicious_language_fts.yml @@ -46,13 +46,10 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/link_suspicious_language_undisclosed_recipients.yml b/detection-rules/link_suspicious_language_undisclosed_recipients.yml index 7fcb7a130ba..15f0593197c 100644 --- a/detection-rules/link_suspicious_language_undisclosed_recipients.yml +++ b/detection-rules/link_suspicious_language_undisclosed_recipients.yml @@ -39,13 +39,10 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/mass_campaign_recipient_address_new_sender.yml b/detection-rules/mass_campaign_recipient_address_new_sender.yml index 92faf055f48..f79c26fc289 100644 --- a/detection-rules/mass_campaign_recipient_address_new_sender.yml +++ b/detection-rules/mass_campaign_recipient_address_new_sender.yml @@ -18,13 +18,10 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) and ( diff --git a/detection-rules/open_redirect_avast.yml b/detection-rules/open_redirect_avast.yml index 5ff4fcde8b6..07bf95fbbc2 100644 --- a/detection-rules/open_redirect_avast.yml +++ b/detection-rules/open_redirect_avast.yml @@ -10,13 +10,10 @@ source: | ) and sender.email.domain.root_domain != "avast.com" and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/recipients_undisclosed_free_subdomain_host.yml b/detection-rules/recipients_undisclosed_free_subdomain_host.yml index 0554bc90112..ebc72a5c284 100644 --- a/detection-rules/recipients_undisclosed_free_subdomain_host.yml +++ b/detection-rules/recipients_undisclosed_free_subdomain_host.yml @@ -22,13 +22,10 @@ source: | ) ) and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tactics_and_techniques: diff --git a/detection-rules/sender_new_from_domain_first_time_sender.yml b/detection-rules/sender_new_from_domain_first_time_sender.yml index ba5fbdbf256..106bcbd5b45 100644 --- a/detection-rules/sender_new_from_domain_first_time_sender.yml +++ b/detection-rules/sender_new_from_domain_first_time_sender.yml @@ -7,13 +7,10 @@ source: | type.inbound and beta.whois(sender.email.domain).days_old <= 10 and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: diff --git a/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml b/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml index 55e02712629..0c1ad34ab4f 100644 --- a/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml +++ b/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml @@ -12,13 +12,10 @@ source: | and any(body.links, regex.icontains(.display_text, '(\bPassword:)', 'Hi.{0,5}Welcome\b')) // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/spam_new_domain_emojis.yml b/detection-rules/spam_new_domain_emojis.yml index 8b01256663d..a21c0c3a94d 100644 --- a/detection-rules/spam_new_domain_emojis.yml +++ b/detection-rules/spam_new_domain_emojis.yml @@ -24,13 +24,10 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/spam_url_shortener_emojis.yml b/detection-rules/spam_url_shortener_emojis.yml index e793b36b770..6ccc7d42423 100644 --- a/detection-rules/spam_url_shortener_emojis.yml +++ b/detection-rules/spam_url_shortener_emojis.yml @@ -27,13 +27,10 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) attack_types: diff --git a/detection-rules/vip_impersonation_attack_surface_reduction.yml b/detection-rules/vip_impersonation_attack_surface_reduction.yml index 34f8fe317c9..c4ecec17afd 100644 --- a/detection-rules/vip_impersonation_attack_surface_reduction.yml +++ b/detection-rules/vip_impersonation_attack_surface_reduction.yml @@ -23,25 +23,19 @@ source: | // first-time sender and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) + profile.by_sender().prevalence in ("new", "outlier") or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) // unsolicited and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) + not profile.by_sender().solicited or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives ) ) tags: From cc29319e99ceef7d9a007ea3ff6eebd2ff8248f0 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 26 Sep 2023 17:52:44 -0400 Subject: [PATCH 02/23] Updating any_malicious_messages to any_messages_malicious_or_spam --- detection-rules/attachment_adobe_image_lure_fts.yml | 2 +- .../attachment_any_html_in_archive_unsolicited.yml | 2 +- detection-rules/attachment_any_html_new_sender.yml | 2 +- detection-rules/attachment_any_html_unsolicited.yml | 2 +- detection-rules/attachment_callback_phish_with_img.yml | 2 +- detection-rules/attachment_callback_phish_with_pdf.yml | 2 +- .../attachment_docusign_image_suspicious_links.yml | 2 +- detection-rules/attachment_dropbox_image_suspicious_links.yml | 2 +- detection-rules/attachment_eml_cred_theft.yml | 2 +- detection-rules/attachment_eml_with_html_attachment.yml | 2 +- .../attachment_emotet_heavily_padded_doc_in_zip.yml | 2 +- detection-rules/attachment_encrypted_ole_unsolicited.yml | 2 +- detection-rules/attachment_html_attachment_login_page.yml | 2 +- .../attachment_html_smuggling_double_encoded_zip.yml | 2 +- .../attachment_html_smuggling_microsoft_signin.yml | 2 +- detection-rules/attachment_js_file_execution.yml | 2 +- detection-rules/attachment_malwarebazaar.yml | 2 +- detection-rules/attachment_mht_embedded_vbscript.yml | 2 +- detection-rules/attachment_microsoft_image_lure_qr_code.yml | 2 +- detection-rules/attachment_office365_image.yml | 2 +- .../attachment_office_file_relationship_cred_theft.yml | 2 +- detection-rules/attachment_pdf_link_to_dmg.yml | 2 +- .../attachment_pdf_linking_to_password_protected_file.yml | 2 +- ...hment_pdf_with_low_reputation_link_to_suspicious_files.yml | 2 +- .../attachment_pdf_with_low_reputation_link_to_zip_file.yml | 2 +- detection-rules/attachment_soliciting_enable_macros.yml | 2 +- .../attachment_suspicious_vba_macro_first_time_sender.yml | 2 +- detection-rules/attachment_svg_embedded_js.yml | 2 +- .../attachment_vba_macro_auto_exec_unsolicited.yml | 2 +- .../attachment_vba_macro_auto_open_unsolicited.yml | 2 +- .../attachment_vba_macro_employee_impersonation.yml | 2 +- detection-rules/attachment_vba_macro_high_risk.yml | 2 +- detection-rules/attachment_with_encrypted_zip_unsolicited.yml | 2 +- .../attachment_with_suspicious_author_unsolicited.yml | 2 +- .../attachment_with_unknown_encrypted_zip_unsolicited.yml | 2 +- detection-rules/body_business_email_compromise_new_sender.yml | 2 +- .../body_business_email_compromise_unsolicited.yml | 2 +- detection-rules/body_callback_phishing_no_attachment.yml | 2 +- detection-rules/body_job_scam_new_sender.yml | 2 +- detection-rules/callback_phishing_nlu_body_or_attachments.yml | 2 +- .../file_sharing_link_from_suspicious_sender_domain.yml | 2 +- detection-rules/file_sharing_link_suspicious_subject.yml | 2 +- ...eaders_bec_masked_recipients_no_links_freemail_replyto.yml | 2 +- detection-rules/headers_replyto_new_domain_nlu_request.yml | 2 +- detection-rules/headers_russia_return_path.yml | 2 +- detection-rules/impersonation_amazon_suspicious_text.yml | 2 +- detection-rules/impersonation_barracuda.yml | 2 +- detection-rules/impersonation_chase.yml | 2 +- detection-rules/impersonation_dhl.yml | 2 +- detection-rules/impersonation_docusign.yml | 2 +- detection-rules/impersonation_employee_payroll_fraud.yml | 2 +- detection-rules/impersonation_employee_subject.yml | 2 +- detection-rules/impersonation_employee_urgent_request.yml | 2 +- ...ation_fake_msg_thread_mismatched_from_freemail_replyto.yml | 2 +- detection-rules/impersonation_finra.yml | 2 +- detection-rules/impersonation_github.yml | 2 +- detection-rules/impersonation_human_resources.yml | 2 +- detection-rules/impersonation_microsoft.yml | 2 +- detection-rules/impersonation_paypal.yml | 2 +- detection-rules/impersonation_recipient_domain.yml | 2 +- .../impersonation_recipient_sld_in_sender_local_fts.yml | 2 +- detection-rules/impersonation_ripple.yml | 2 +- detection-rules/impersonation_spotify.yml | 2 +- detection-rules/impersonation_stellar.yml | 2 +- detection-rules/impersonation_sublime_security.yml | 2 +- detection-rules/impersonation_vip_urgent_request.yml | 2 +- detection-rules/inline_image_as_message.yml | 2 +- detection-rules/link_credential_phishing.yml | 2 +- .../link_credential_phishing_intent_and_other_indicators.yml | 2 +- detection-rules/link_credential_phishing_secure_message.yml | 2 +- ..._credential_phishing_suspicious_sender_tld_and_signals.yml | 2 +- .../link_credential_phishing_voicemail_language.yml | 2 +- detection-rules/link_download_disk_image_in_encrypted_zip.yml | 2 +- detection-rules/link_download_suspicious_file.yml | 2 +- detection-rules/link_fake_fax_low_reputation.yml | 2 +- detection-rules/link_google_apps_script_macro.yml | 2 +- detection-rules/link_google_translate.yml | 2 +- detection-rules/link_html_smuggling_with_adobe_branding.yml | 2 +- .../link_html_smuggling_with_google_drive_branding.yml | 2 +- detection-rules/link_ipfs_phishing.yml | 2 +- detection-rules/link_login_or_captcha.yml | 2 +- detection-rules/link_microsoft_device_code_phish.yml | 2 +- .../link_microsoft_impersonation_using_hosted_png.yml | 2 +- detection-rules/link_new_domain_in_link_first_time_sender.yml | 2 +- detection-rules/link_notion_file_share.yml | 2 +- detection-rules/link_qr_code_suspicious_language_fts.yml | 2 +- .../link_suspicious_language_undisclosed_recipients.yml | 2 +- .../mass_campaign_recipient_address_new_sender.yml | 2 +- detection-rules/open_redirect_avast.yml | 2 +- .../recipients_undisclosed_free_subdomain_host.yml | 2 +- detection-rules/sender_new_from_domain_first_time_sender.yml | 2 +- .../spam_campaign_excessive_display_text_with_keywords.yml | 2 +- detection-rules/spam_new_domain_emojis.yml | 2 +- detection-rules/spam_url_shortener_emojis.yml | 2 +- .../vip_impersonation_attack_surface_reduction.yml | 4 ++-- 95 files changed, 96 insertions(+), 96 deletions(-) diff --git a/detection-rules/attachment_adobe_image_lure_fts.yml b/detection-rules/attachment_adobe_image_lure_fts.yml index 7ebf6e6e729..1c222cd97d9 100644 --- a/detection-rules/attachment_adobe_image_lure_fts.yml +++ b/detection-rules/attachment_adobe_image_lure_fts.yml @@ -22,7 +22,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_any_html_in_archive_unsolicited.yml b/detection-rules/attachment_any_html_in_archive_unsolicited.yml index 30a50f50846..f7ab205f57a 100644 --- a/detection-rules/attachment_any_html_in_archive_unsolicited.yml +++ b/detection-rules/attachment_any_html_in_archive_unsolicited.yml @@ -16,7 +16,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_any_html_new_sender.yml b/detection-rules/attachment_any_html_new_sender.yml index 881e39ae6d0..d0b17154671 100644 --- a/detection-rules/attachment_any_html_new_sender.yml +++ b/detection-rules/attachment_any_html_new_sender.yml @@ -16,7 +16,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml index 98540568841..d70127c3fdc 100644 --- a/detection-rules/attachment_any_html_unsolicited.yml +++ b/detection-rules/attachment_any_html_unsolicited.yml @@ -16,7 +16,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_callback_phish_with_img.yml b/detection-rules/attachment_callback_phish_with_img.yml index 226f8e5567e..19c4f46b120 100644 --- a/detection-rules/attachment_callback_phish_with_img.yml +++ b/detection-rules/attachment_callback_phish_with_img.yml @@ -12,7 +12,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_callback_phish_with_pdf.yml b/detection-rules/attachment_callback_phish_with_pdf.yml index 4a9180c1df3..e707ca72c80 100644 --- a/detection-rules/attachment_callback_phish_with_pdf.yml +++ b/detection-rules/attachment_callback_phish_with_pdf.yml @@ -10,7 +10,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml index d70d88ddbcd..79c46f1d4e0 100644 --- a/detection-rules/attachment_docusign_image_suspicious_links.yml +++ b/detection-rules/attachment_docusign_image_suspicious_links.yml @@ -28,7 +28,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_dropbox_image_suspicious_links.yml b/detection-rules/attachment_dropbox_image_suspicious_links.yml index c8e09723e63..478744466bc 100644 --- a/detection-rules/attachment_dropbox_image_suspicious_links.yml +++ b/detection-rules/attachment_dropbox_image_suspicious_links.yml @@ -16,7 +16,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_eml_cred_theft.yml b/detection-rules/attachment_eml_cred_theft.yml index cd9516fac1b..95b44aad734 100644 --- a/detection-rules/attachment_eml_cred_theft.yml +++ b/detection-rules/attachment_eml_cred_theft.yml @@ -34,7 +34,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_eml_with_html_attachment.yml b/detection-rules/attachment_eml_with_html_attachment.yml index 5d83a8a48d0..ca10efeee91 100644 --- a/detection-rules/attachment_eml_with_html_attachment.yml +++ b/detection-rules/attachment_eml_with_html_attachment.yml @@ -45,7 +45,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml b/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml index 3f0782d363c..0f1e36c18ac 100644 --- a/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml +++ b/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml @@ -21,7 +21,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_encrypted_ole_unsolicited.yml b/detection-rules/attachment_encrypted_ole_unsolicited.yml index 90bc95fa39a..10df0004afc 100644 --- a/detection-rules/attachment_encrypted_ole_unsolicited.yml +++ b/detection-rules/attachment_encrypted_ole_unsolicited.yml @@ -15,7 +15,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_html_attachment_login_page.yml b/detection-rules/attachment_html_attachment_login_page.yml index 86267c2c615..af9dd43c689 100644 --- a/detection-rules/attachment_html_attachment_login_page.yml +++ b/detection-rules/attachment_html_attachment_login_page.yml @@ -72,7 +72,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_html_smuggling_double_encoded_zip.yml b/detection-rules/attachment_html_smuggling_double_encoded_zip.yml index dfa2caec04d..0d7374033c7 100644 --- a/detection-rules/attachment_html_smuggling_double_encoded_zip.yml +++ b/detection-rules/attachment_html_smuggling_double_encoded_zip.yml @@ -15,7 +15,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_html_smuggling_microsoft_signin.yml b/detection-rules/attachment_html_smuggling_microsoft_signin.yml index 9edceef1f6b..ec988219191 100644 --- a/detection-rules/attachment_html_smuggling_microsoft_signin.yml +++ b/detection-rules/attachment_html_smuggling_microsoft_signin.yml @@ -27,7 +27,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_js_file_execution.yml b/detection-rules/attachment_js_file_execution.yml index 38c9cfd2053..a5573cd94f8 100644 --- a/detection-rules/attachment_js_file_execution.yml +++ b/detection-rules/attachment_js_file_execution.yml @@ -19,7 +19,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_malwarebazaar.yml b/detection-rules/attachment_malwarebazaar.yml index b8a5be43491..b8b6025bcd1 100644 --- a/detection-rules/attachment_malwarebazaar.yml +++ b/detection-rules/attachment_malwarebazaar.yml @@ -8,7 +8,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_mht_embedded_vbscript.yml b/detection-rules/attachment_mht_embedded_vbscript.yml index 8194fdf9a7c..1a84705f349 100644 --- a/detection-rules/attachment_mht_embedded_vbscript.yml +++ b/detection-rules/attachment_mht_embedded_vbscript.yml @@ -19,7 +19,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml index df00cbe0aab..37182356226 100644 --- a/detection-rules/attachment_microsoft_image_lure_qr_code.yml +++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml @@ -60,7 +60,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_office365_image.yml b/detection-rules/attachment_office365_image.yml index e1b97415dab..39644f3df92 100644 --- a/detection-rules/attachment_office365_image.yml +++ b/detection-rules/attachment_office365_image.yml @@ -58,7 +58,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_office_file_relationship_cred_theft.yml b/detection-rules/attachment_office_file_relationship_cred_theft.yml index 165654bdc53..f7735b69322 100644 --- a/detection-rules/attachment_office_file_relationship_cred_theft.yml +++ b/detection-rules/attachment_office_file_relationship_cred_theft.yml @@ -25,7 +25,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_pdf_link_to_dmg.yml b/detection-rules/attachment_pdf_link_to_dmg.yml index 5a7cf4357e3..24c8ad81ab2 100644 --- a/detection-rules/attachment_pdf_link_to_dmg.yml +++ b/detection-rules/attachment_pdf_link_to_dmg.yml @@ -45,7 +45,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_pdf_linking_to_password_protected_file.yml b/detection-rules/attachment_pdf_linking_to_password_protected_file.yml index 0e67b35b16f..14cc93e7b84 100644 --- a/detection-rules/attachment_pdf_linking_to_password_protected_file.yml +++ b/detection-rules/attachment_pdf_linking_to_password_protected_file.yml @@ -21,7 +21,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml index 00a82837ed2..2f88a8ece88 100644 --- a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml +++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml @@ -21,7 +21,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml index 4d5ef5a96d2..14fea15e6bd 100644 --- a/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml +++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml @@ -22,7 +22,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_soliciting_enable_macros.yml b/detection-rules/attachment_soliciting_enable_macros.yml index 070526614d1..c502919588b 100644 --- a/detection-rules/attachment_soliciting_enable_macros.yml +++ b/detection-rules/attachment_soliciting_enable_macros.yml @@ -21,7 +21,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml index cbfbae97364..5cc38d278ec 100644 --- a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml +++ b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml @@ -13,7 +13,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_svg_embedded_js.yml b/detection-rules/attachment_svg_embedded_js.yml index db0f5ca3850..885527d09da 100644 --- a/detection-rules/attachment_svg_embedded_js.yml +++ b/detection-rules/attachment_svg_embedded_js.yml @@ -26,7 +26,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml index ad0d26e90cf..8cc39d8b582 100644 --- a/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml +++ b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml @@ -16,7 +16,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml index 54e7c4208f9..7bbe7543329 100644 --- a/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml +++ b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml @@ -17,7 +17,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_vba_macro_employee_impersonation.yml b/detection-rules/attachment_vba_macro_employee_impersonation.yml index 9b050074c1a..ac8d8b2fbba 100644 --- a/detection-rules/attachment_vba_macro_employee_impersonation.yml +++ b/detection-rules/attachment_vba_macro_employee_impersonation.yml @@ -23,7 +23,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_vba_macro_high_risk.yml b/detection-rules/attachment_vba_macro_high_risk.yml index b3500a0270b..8b9ab322c5e 100644 --- a/detection-rules/attachment_vba_macro_high_risk.yml +++ b/detection-rules/attachment_vba_macro_high_risk.yml @@ -14,7 +14,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_with_encrypted_zip_unsolicited.yml b/detection-rules/attachment_with_encrypted_zip_unsolicited.yml index 4c05b3bcbe9..e21351fe9b1 100644 --- a/detection-rules/attachment_with_encrypted_zip_unsolicited.yml +++ b/detection-rules/attachment_with_encrypted_zip_unsolicited.yml @@ -14,7 +14,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_with_suspicious_author_unsolicited.yml b/detection-rules/attachment_with_suspicious_author_unsolicited.yml index 6f56408f68e..29e1e71901e 100644 --- a/detection-rules/attachment_with_suspicious_author_unsolicited.yml +++ b/detection-rules/attachment_with_suspicious_author_unsolicited.yml @@ -15,7 +15,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml b/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml index d482759c61f..badc0f2862d 100644 --- a/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml +++ b/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml @@ -18,7 +18,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml index b71fcbe7dcc..8930d8cb941 100644 --- a/detection-rules/body_business_email_compromise_new_sender.yml +++ b/detection-rules/body_business_email_compromise_new_sender.yml @@ -25,7 +25,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/body_business_email_compromise_unsolicited.yml b/detection-rules/body_business_email_compromise_unsolicited.yml index 0b26b358674..247f22a967a 100644 --- a/detection-rules/body_business_email_compromise_unsolicited.yml +++ b/detection-rules/body_business_email_compromise_unsolicited.yml @@ -47,7 +47,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/body_callback_phishing_no_attachment.yml b/detection-rules/body_callback_phishing_no_attachment.yml index 5baf207e6b7..b4a1caf7d3d 100644 --- a/detection-rules/body_callback_phishing_no_attachment.yml +++ b/detection-rules/body_callback_phishing_no_attachment.yml @@ -11,7 +11,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/body_job_scam_new_sender.yml b/detection-rules/body_job_scam_new_sender.yml index 550153f4a07..9d002d17203 100644 --- a/detection-rules/body_job_scam_new_sender.yml +++ b/detection-rules/body_job_scam_new_sender.yml @@ -13,7 +13,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml index cc93e434a53..b5b1f1a0c7f 100644 --- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml +++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml @@ -27,7 +27,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml b/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml index b6e4e668a06..09b81756466 100644 --- a/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml +++ b/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml @@ -10,7 +10,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/file_sharing_link_suspicious_subject.yml b/detection-rules/file_sharing_link_suspicious_subject.yml index 4c7f168d10c..09ed51da703 100644 --- a/detection-rules/file_sharing_link_suspicious_subject.yml +++ b/detection-rules/file_sharing_link_suspicious_subject.yml @@ -20,7 +20,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml b/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml index fbd85453272..4970785d8d3 100644 --- a/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml +++ b/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml @@ -18,7 +18,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/headers_replyto_new_domain_nlu_request.yml b/detection-rules/headers_replyto_new_domain_nlu_request.yml index c2f610c3353..f004bb4a274 100644 --- a/detection-rules/headers_replyto_new_domain_nlu_request.yml +++ b/detection-rules/headers_replyto_new_domain_nlu_request.yml @@ -29,7 +29,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/headers_russia_return_path.yml b/detection-rules/headers_russia_return_path.yml index 18a0c30d820..2daabd83ce5 100644 --- a/detection-rules/headers_russia_return_path.yml +++ b/detection-rules/headers_russia_return_path.yml @@ -10,7 +10,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_amazon_suspicious_text.yml b/detection-rules/impersonation_amazon_suspicious_text.yml index 787688af404..617dce23d85 100644 --- a/detection-rules/impersonation_amazon_suspicious_text.yml +++ b/detection-rules/impersonation_amazon_suspicious_text.yml @@ -37,7 +37,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_barracuda.yml b/detection-rules/impersonation_barracuda.yml index fe14c733dfc..77cab95db70 100644 --- a/detection-rules/impersonation_barracuda.yml +++ b/detection-rules/impersonation_barracuda.yml @@ -24,7 +24,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_chase.yml b/detection-rules/impersonation_chase.yml index bb395d282f4..15a8108ef0b 100644 --- a/detection-rules/impersonation_chase.yml +++ b/detection-rules/impersonation_chase.yml @@ -26,7 +26,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_dhl.yml b/detection-rules/impersonation_dhl.yml index 68a974d5102..6f45b9c5253 100644 --- a/detection-rules/impersonation_dhl.yml +++ b/detection-rules/impersonation_dhl.yml @@ -28,7 +28,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_docusign.yml b/detection-rules/impersonation_docusign.yml index e60a1288116..695cc52220f 100644 --- a/detection-rules/impersonation_docusign.yml +++ b/detection-rules/impersonation_docusign.yml @@ -55,7 +55,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_employee_payroll_fraud.yml b/detection-rules/impersonation_employee_payroll_fraud.yml index 4a7d299c552..108b809ed80 100644 --- a/detection-rules/impersonation_employee_payroll_fraud.yml +++ b/detection-rules/impersonation_employee_payroll_fraud.yml @@ -27,7 +27,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_employee_subject.yml b/detection-rules/impersonation_employee_subject.yml index 546e95e428d..a0ea7a09175 100644 --- a/detection-rules/impersonation_employee_subject.yml +++ b/detection-rules/impersonation_employee_subject.yml @@ -19,7 +19,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_employee_urgent_request.yml b/detection-rules/impersonation_employee_urgent_request.yml index b8ffd8cc3cf..bd30f6f6bd9 100644 --- a/detection-rules/impersonation_employee_urgent_request.yml +++ b/detection-rules/impersonation_employee_urgent_request.yml @@ -28,7 +28,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml b/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml index 52d323aa579..b45d953f586 100644 --- a/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml +++ b/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml @@ -13,7 +13,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_finra.yml b/detection-rules/impersonation_finra.yml index 1b8e6d23e9f..26287c89588 100644 --- a/detection-rules/impersonation_finra.yml +++ b/detection-rules/impersonation_finra.yml @@ -17,7 +17,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_github.yml b/detection-rules/impersonation_github.yml index 01ebb6359ab..7606ceab8ff 100644 --- a/detection-rules/impersonation_github.yml +++ b/detection-rules/impersonation_github.yml @@ -31,7 +31,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml index ae983554ab1..00516688e71 100644 --- a/detection-rules/impersonation_human_resources.yml +++ b/detection-rules/impersonation_human_resources.yml @@ -20,7 +20,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml index a76b3f93a14..44a6db375db 100644 --- a/detection-rules/impersonation_microsoft.yml +++ b/detection-rules/impersonation_microsoft.yml @@ -47,7 +47,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_paypal.yml b/detection-rules/impersonation_paypal.yml index 8ae92197782..beb8c24b30c 100644 --- a/detection-rules/impersonation_paypal.yml +++ b/detection-rules/impersonation_paypal.yml @@ -57,7 +57,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_recipient_domain.yml b/detection-rules/impersonation_recipient_domain.yml index 4d1ee53808b..a28324c7734 100644 --- a/detection-rules/impersonation_recipient_domain.yml +++ b/detection-rules/impersonation_recipient_domain.yml @@ -36,7 +36,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml b/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml index 07fdfe057b0..53985558905 100644 --- a/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml +++ b/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml @@ -29,7 +29,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_ripple.yml b/detection-rules/impersonation_ripple.yml index 9b961db504c..b3ddee751d1 100644 --- a/detection-rules/impersonation_ripple.yml +++ b/detection-rules/impersonation_ripple.yml @@ -13,7 +13,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_spotify.yml b/detection-rules/impersonation_spotify.yml index 543243dec9b..65d576c0018 100644 --- a/detection-rules/impersonation_spotify.yml +++ b/detection-rules/impersonation_spotify.yml @@ -24,7 +24,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_stellar.yml b/detection-rules/impersonation_stellar.yml index 12e88c0cd77..9cea84869ec 100644 --- a/detection-rules/impersonation_stellar.yml +++ b/detection-rules/impersonation_stellar.yml @@ -13,7 +13,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_sublime_security.yml b/detection-rules/impersonation_sublime_security.yml index f6e0cb1b2c6..9d12ca5e34a 100644 --- a/detection-rules/impersonation_sublime_security.yml +++ b/detection-rules/impersonation_sublime_security.yml @@ -16,7 +16,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/impersonation_vip_urgent_request.yml b/detection-rules/impersonation_vip_urgent_request.yml index 3d088726094..870eb7f67c4 100644 --- a/detection-rules/impersonation_vip_urgent_request.yml +++ b/detection-rules/impersonation_vip_urgent_request.yml @@ -19,7 +19,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/inline_image_as_message.yml b/detection-rules/inline_image_as_message.yml index 601121979f1..d9cdfc3b964 100644 --- a/detection-rules/inline_image_as_message.yml +++ b/detection-rules/inline_image_as_message.yml @@ -23,7 +23,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_credential_phishing.yml b/detection-rules/link_credential_phishing.yml index 576b26186cc..433fa6ad6e8 100644 --- a/detection-rules/link_credential_phishing.yml +++ b/detection-rules/link_credential_phishing.yml @@ -13,7 +13,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml index ffe72d80c6b..497d74f5518 100644 --- a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml +++ b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml @@ -301,7 +301,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_credential_phishing_secure_message.yml b/detection-rules/link_credential_phishing_secure_message.yml index 40e316e48c7..10eafabf990 100644 --- a/detection-rules/link_credential_phishing_secure_message.yml +++ b/detection-rules/link_credential_phishing_secure_message.yml @@ -34,7 +34,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml b/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml index 1c79b89cc20..2a2b8092351 100644 --- a/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml +++ b/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml @@ -48,7 +48,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml index e5e933d1b9b..2991fd8c84e 100644 --- a/detection-rules/link_credential_phishing_voicemail_language.yml +++ b/detection-rules/link_credential_phishing_voicemail_language.yml @@ -55,7 +55,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_download_disk_image_in_encrypted_zip.yml b/detection-rules/link_download_disk_image_in_encrypted_zip.yml index 9eed870b15a..fa5e007caf4 100644 --- a/detection-rules/link_download_disk_image_in_encrypted_zip.yml +++ b/detection-rules/link_download_disk_image_in_encrypted_zip.yml @@ -28,7 +28,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_download_suspicious_file.yml b/detection-rules/link_download_suspicious_file.yml index 6f4577bc732..51c6849e166 100644 --- a/detection-rules/link_download_suspicious_file.yml +++ b/detection-rules/link_download_suspicious_file.yml @@ -37,7 +37,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_fake_fax_low_reputation.yml b/detection-rules/link_fake_fax_low_reputation.yml index ba4a726097d..785682ca5a5 100644 --- a/detection-rules/link_fake_fax_low_reputation.yml +++ b/detection-rules/link_fake_fax_low_reputation.yml @@ -48,7 +48,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_google_apps_script_macro.yml b/detection-rules/link_google_apps_script_macro.yml index 52c9e76c65e..8706c6465c4 100644 --- a/detection-rules/link_google_apps_script_macro.yml +++ b/detection-rules/link_google_apps_script_macro.yml @@ -15,7 +15,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_google_translate.yml b/detection-rules/link_google_translate.yml index fe9fbafe340..06a07041f60 100644 --- a/detection-rules/link_google_translate.yml +++ b/detection-rules/link_google_translate.yml @@ -14,7 +14,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_html_smuggling_with_adobe_branding.yml b/detection-rules/link_html_smuggling_with_adobe_branding.yml index b17b150f056..38665d1124a 100644 --- a/detection-rules/link_html_smuggling_with_adobe_branding.yml +++ b/detection-rules/link_html_smuggling_with_adobe_branding.yml @@ -29,7 +29,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_html_smuggling_with_google_drive_branding.yml b/detection-rules/link_html_smuggling_with_google_drive_branding.yml index bb9dafb7d69..4eada82e9d9 100644 --- a/detection-rules/link_html_smuggling_with_google_drive_branding.yml +++ b/detection-rules/link_html_smuggling_with_google_drive_branding.yml @@ -34,7 +34,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_ipfs_phishing.yml b/detection-rules/link_ipfs_phishing.yml index 68a62913c73..003c0545b0c 100644 --- a/detection-rules/link_ipfs_phishing.yml +++ b/detection-rules/link_ipfs_phishing.yml @@ -35,7 +35,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_login_or_captcha.yml b/detection-rules/link_login_or_captcha.yml index b96ca9291b4..cc97fe5df4c 100644 --- a/detection-rules/link_login_or_captcha.yml +++ b/detection-rules/link_login_or_captcha.yml @@ -33,7 +33,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_microsoft_device_code_phish.yml b/detection-rules/link_microsoft_device_code_phish.yml index afa4534ec81..66a512fb78a 100644 --- a/detection-rules/link_microsoft_device_code_phish.yml +++ b/detection-rules/link_microsoft_device_code_phish.yml @@ -37,7 +37,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_microsoft_impersonation_using_hosted_png.yml b/detection-rules/link_microsoft_impersonation_using_hosted_png.yml index d7ee230bd5b..5268ea33c32 100644 --- a/detection-rules/link_microsoft_impersonation_using_hosted_png.yml +++ b/detection-rules/link_microsoft_impersonation_using_hosted_png.yml @@ -37,7 +37,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_new_domain_in_link_first_time_sender.yml b/detection-rules/link_new_domain_in_link_first_time_sender.yml index b03dbdc0f78..6f303b2fbaa 100644 --- a/detection-rules/link_new_domain_in_link_first_time_sender.yml +++ b/detection-rules/link_new_domain_in_link_first_time_sender.yml @@ -10,7 +10,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_notion_file_share.yml b/detection-rules/link_notion_file_share.yml index 435bfa75f58..f828857d393 100644 --- a/detection-rules/link_notion_file_share.yml +++ b/detection-rules/link_notion_file_share.yml @@ -48,7 +48,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml index a465d2ab745..60e335cf467 100644 --- a/detection-rules/link_qr_code_suspicious_language_fts.yml +++ b/detection-rules/link_qr_code_suspicious_language_fts.yml @@ -48,7 +48,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/link_suspicious_language_undisclosed_recipients.yml b/detection-rules/link_suspicious_language_undisclosed_recipients.yml index 15f0593197c..714a90ec1d2 100644 --- a/detection-rules/link_suspicious_language_undisclosed_recipients.yml +++ b/detection-rules/link_suspicious_language_undisclosed_recipients.yml @@ -41,7 +41,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/mass_campaign_recipient_address_new_sender.yml b/detection-rules/mass_campaign_recipient_address_new_sender.yml index f79c26fc289..d0cc7dd5a48 100644 --- a/detection-rules/mass_campaign_recipient_address_new_sender.yml +++ b/detection-rules/mass_campaign_recipient_address_new_sender.yml @@ -20,7 +20,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/open_redirect_avast.yml b/detection-rules/open_redirect_avast.yml index 07bf95fbbc2..4468bf1bfdc 100644 --- a/detection-rules/open_redirect_avast.yml +++ b/detection-rules/open_redirect_avast.yml @@ -12,7 +12,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/recipients_undisclosed_free_subdomain_host.yml b/detection-rules/recipients_undisclosed_free_subdomain_host.yml index ebc72a5c284..dd5d33f8d9e 100644 --- a/detection-rules/recipients_undisclosed_free_subdomain_host.yml +++ b/detection-rules/recipients_undisclosed_free_subdomain_host.yml @@ -24,7 +24,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/sender_new_from_domain_first_time_sender.yml b/detection-rules/sender_new_from_domain_first_time_sender.yml index 106bcbd5b45..d623bcb7187 100644 --- a/detection-rules/sender_new_from_domain_first_time_sender.yml +++ b/detection-rules/sender_new_from_domain_first_time_sender.yml @@ -9,7 +9,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml b/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml index 0c1ad34ab4f..d28170e03f9 100644 --- a/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml +++ b/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml @@ -14,7 +14,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/spam_new_domain_emojis.yml b/detection-rules/spam_new_domain_emojis.yml index a21c0c3a94d..761c940f949 100644 --- a/detection-rules/spam_new_domain_emojis.yml +++ b/detection-rules/spam_new_domain_emojis.yml @@ -26,7 +26,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/spam_url_shortener_emojis.yml b/detection-rules/spam_url_shortener_emojis.yml index 6ccc7d42423..51f18a702ce 100644 --- a/detection-rules/spam_url_shortener_emojis.yml +++ b/detection-rules/spam_url_shortener_emojis.yml @@ -29,7 +29,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) diff --git a/detection-rules/vip_impersonation_attack_surface_reduction.yml b/detection-rules/vip_impersonation_attack_surface_reduction.yml index c4ecec17afd..7a825b14d4a 100644 --- a/detection-rules/vip_impersonation_attack_surface_reduction.yml +++ b/detection-rules/vip_impersonation_attack_surface_reduction.yml @@ -25,7 +25,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) @@ -34,7 +34,7 @@ source: | and ( not profile.by_sender().solicited or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) From 0a9cb4c4fed364969a321e6c8b479132e1fbceaa Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:04:54 -0400 Subject: [PATCH 03/23] Update attachment_any_html_new_sender.yml --- detection-rules/attachment_any_html_new_sender.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detection-rules/attachment_any_html_new_sender.yml b/detection-rules/attachment_any_html_new_sender.yml index d0b17154671..117804f24ce 100644 --- a/detection-rules/attachment_any_html_new_sender.yml +++ b/detection-rules/attachment_any_html_new_sender.yml @@ -11,8 +11,6 @@ severity: "medium" source: | type.inbound and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html") - - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( From 63df918c185ba29168c08a33c117f01db4eb57f7 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:05:25 -0400 Subject: [PATCH 04/23] Update attachment_html_attachment_login_page.yml --- detection-rules/attachment_html_attachment_login_page.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detection-rules/attachment_html_attachment_login_page.yml b/detection-rules/attachment_html_attachment_login_page.yml index af9dd43c689..0f513c19103 100644 --- a/detection-rules/attachment_html_attachment_login_page.yml +++ b/detection-rules/attachment_html_attachment_login_page.yml @@ -68,7 +68,6 @@ source: | ) ) ) - // Unsolicited and ( not profile.by_sender().solicited or ( From 7fa974b0257b6c4528f318b356b46f30dd0cbe67 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:05:44 -0400 Subject: [PATCH 05/23] Update attachment_js_file_execution.yml --- detection-rules/attachment_js_file_execution.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detection-rules/attachment_js_file_execution.yml b/detection-rules/attachment_js_file_execution.yml index a5573cd94f8..788d141ed21 100644 --- a/detection-rules/attachment_js_file_execution.yml +++ b/detection-rules/attachment_js_file_execution.yml @@ -15,7 +15,6 @@ source: | ) ) ) - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( From 431199d60909290e2c826a2feb4bea07187aab76 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:06:11 -0400 Subject: [PATCH 06/23] Update attachment_mht_embedded_vbscript.yml --- detection-rules/attachment_mht_embedded_vbscript.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detection-rules/attachment_mht_embedded_vbscript.yml b/detection-rules/attachment_mht_embedded_vbscript.yml index 1a84705f349..7820e2b3caa 100644 --- a/detection-rules/attachment_mht_embedded_vbscript.yml +++ b/detection-rules/attachment_mht_embedded_vbscript.yml @@ -14,8 +14,6 @@ source: | and any(file.explode(.), .file_extension =~ "mht") and any(file.explode(.), any(.scan.html.scripts, .language == "VBScript")) ) - - // unsolicited and ( not profile.by_sender().solicited or ( From 636f6f295758f1553103c28d927801b3a8e28e32 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:06:40 -0400 Subject: [PATCH 07/23] Update attachment_any_html_unsolicited.yml --- detection-rules/attachment_any_html_unsolicited.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml index d70127c3fdc..c5549895fd3 100644 --- a/detection-rules/attachment_any_html_unsolicited.yml +++ b/detection-rules/attachment_any_html_unsolicited.yml @@ -11,8 +11,6 @@ severity: "low" source: | type.inbound and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html") - - // unsolicited and ( not profile.by_sender().solicited or ( From 512f088c7648ba0358d6d314c04be5f8699d8d68 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:07:39 -0400 Subject: [PATCH 08/23] Update attachment_eml_cred_theft.yml --- detection-rules/attachment_eml_cred_theft.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detection-rules/attachment_eml_cred_theft.yml b/detection-rules/attachment_eml_cred_theft.yml index 95b44aad734..d3b647aa504 100644 --- a/detection-rules/attachment_eml_cred_theft.yml +++ b/detection-rules/attachment_eml_cred_theft.yml @@ -29,8 +29,6 @@ source: | and not any(attachments, .content_type == "message/delivery-status") // if the "References" is in the body of the message, it's probably a bounce and not any(headers.references, strings.contains(body.html.display_text, .)) - - // unsolicited and ( not profile.by_sender().solicited or ( From f1d6b1f64d43898d77302ae9c349dc458ede50e4 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:08:00 -0400 Subject: [PATCH 09/23] Update attachment_eml_with_html_attachment.yml --- detection-rules/attachment_eml_with_html_attachment.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detection-rules/attachment_eml_with_html_attachment.yml b/detection-rules/attachment_eml_with_html_attachment.yml index ca10efeee91..f719bf69097 100644 --- a/detection-rules/attachment_eml_with_html_attachment.yml +++ b/detection-rules/attachment_eml_with_html_attachment.yml @@ -40,8 +40,6 @@ source: | and not any(attachments, .content_type == "message/delivery-status") // if the "References" is in the body of the message, it's probably a bounce and not any(headers.references, strings.contains(body.html.display_text, .)) - - // unsolicited and ( not profile.by_sender().solicited or ( From e399c7bca76e0ce1b59dbe12e7f5e38c9195aa98 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:08:31 -0400 Subject: [PATCH 10/23] Update attachment_microsoft_image_lure_qr_code.yml --- detection-rules/attachment_microsoft_image_lure_qr_code.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml index ca23a6a6c0d..f130fcdcaaa 100644 --- a/detection-rules/attachment_microsoft_image_lure_qr_code.yml +++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml @@ -61,7 +61,6 @@ source: | and sender.email.domain.domain == "microsoft.com" ) ) - // unsolicited and ( not profile.by_sender().solicited or ( From e347c3f8f6c88106406d8a982927762ac20aecf8 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:09:29 -0400 Subject: [PATCH 11/23] Update attachment_office365_image.yml --- detection-rules/attachment_office365_image.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detection-rules/attachment_office365_image.yml b/detection-rules/attachment_office365_image.yml index 39644f3df92..9622f79a11f 100644 --- a/detection-rules/attachment_office365_image.yml +++ b/detection-rules/attachment_office365_image.yml @@ -54,7 +54,6 @@ source: | and sender.email.domain.domain in ("microsoft.com", "sharepointonline.com") ) ) - // unsolicited and ( not profile.by_sender().solicited or ( From 279554030f0522b149158a15775894b056270ccb Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:11:14 -0400 Subject: [PATCH 12/23] Update attachment_pdf_link_to_dmg.yml --- detection-rules/attachment_pdf_link_to_dmg.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/detection-rules/attachment_pdf_link_to_dmg.yml b/detection-rules/attachment_pdf_link_to_dmg.yml index 24c8ad81ab2..81874a50ef1 100644 --- a/detection-rules/attachment_pdf_link_to_dmg.yml +++ b/detection-rules/attachment_pdf_link_to_dmg.yml @@ -39,9 +39,6 @@ source: | ) ) ) - - - // first time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( From a5bbd067e2c24a904e0bba9cb152802a489e4b36 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:12:42 -0400 Subject: [PATCH 13/23] Update impersonation_barracuda.yml --- detection-rules/impersonation_barracuda.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detection-rules/impersonation_barracuda.yml b/detection-rules/impersonation_barracuda.yml index 77cab95db70..76987ffe608 100644 --- a/detection-rules/impersonation_barracuda.yml +++ b/detection-rules/impersonation_barracuda.yml @@ -20,7 +20,6 @@ source: | 'sharkssports.net', 'sjbarracuda.com' ) - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( From 269217f2617eab229dc6d9b1341a9f08e9738018 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:13:12 -0400 Subject: [PATCH 14/23] Update body_business_email_compromise_new_sender.yml --- detection-rules/body_business_email_compromise_new_sender.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml index 8930d8cb941..ffec5179bee 100644 --- a/detection-rules/body_business_email_compromise_new_sender.yml +++ b/detection-rules/body_business_email_compromise_new_sender.yml @@ -21,7 +21,6 @@ source: | or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) ) ) - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( From d8ae07d0f8383785b57e5cdf21b2ad726d186c55 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:13:38 -0400 Subject: [PATCH 15/23] Update impersonation_dhl.yml --- detection-rules/impersonation_dhl.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detection-rules/impersonation_dhl.yml b/detection-rules/impersonation_dhl.yml index 6f45b9c5253..99d9d08539b 100644 --- a/detection-rules/impersonation_dhl.yml +++ b/detection-rules/impersonation_dhl.yml @@ -24,7 +24,6 @@ source: | 'dhl.de', 'dhl.fr' ) - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( From c0de6a36ac021bf7aad8458602eacf05dcc36c18 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:14:07 -0400 Subject: [PATCH 16/23] Update headers_replyto_new_domain_nlu_request.yml --- detection-rules/headers_replyto_new_domain_nlu_request.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detection-rules/headers_replyto_new_domain_nlu_request.yml b/detection-rules/headers_replyto_new_domain_nlu_request.yml index f004bb4a274..c26b16bc096 100644 --- a/detection-rules/headers_replyto_new_domain_nlu_request.yml +++ b/detection-rules/headers_replyto_new_domain_nlu_request.yml @@ -24,8 +24,6 @@ source: | .name is not null and .confidence in ("medium", "high") ) ) - - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( From 5a85c00853802c59fa1b22dab9d0c710f02c72a2 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:14:35 -0400 Subject: [PATCH 17/23] Update impersonation_employee_urgent_request.yml --- detection-rules/impersonation_employee_urgent_request.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detection-rules/impersonation_employee_urgent_request.yml b/detection-rules/impersonation_employee_urgent_request.yml index bd30f6f6bd9..e8d2abda54a 100644 --- a/detection-rules/impersonation_employee_urgent_request.yml +++ b/detection-rules/impersonation_employee_urgent_request.yml @@ -23,8 +23,6 @@ source: | and not strings.istarts_with(subject.subject, "fwd:") ) ) - - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( From fa4c1d4e4786c1d059d988b9fdafd3f782c378a3 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:15:15 -0400 Subject: [PATCH 18/23] Update link_credential_phishing.yml --- detection-rules/link_credential_phishing.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detection-rules/link_credential_phishing.yml b/detection-rules/link_credential_phishing.yml index 433fa6ad6e8..08e9ef5f47e 100644 --- a/detection-rules/link_credential_phishing.yml +++ b/detection-rules/link_credential_phishing.yml @@ -9,7 +9,6 @@ source: | beta.linkanalysis(.).credphish.disposition == "phishing" and beta.linkanalysis(.).credphish.confidence in ("medium", "high") ) - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( From f43855b7550d63080799cc5f3e83804aa6432eac Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:16:05 -0400 Subject: [PATCH 19/23] Update impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml --- ...onation_fake_msg_thread_mismatched_from_freemail_replyto.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml b/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml index b45d953f586..ec61e357ec8 100644 --- a/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml +++ b/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml @@ -8,8 +8,6 @@ type: "rule" severity: "medium" source: | type.inbound - - // First-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( From c80d78885b6232bcd54fc99ef3f13a17edea1488 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:16:53 -0400 Subject: [PATCH 20/23] Update impersonation_microsoft.yml --- detection-rules/impersonation_microsoft.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml index 44a6db375db..d67692062f6 100644 --- a/detection-rules/impersonation_microsoft.yml +++ b/detection-rules/impersonation_microsoft.yml @@ -42,8 +42,6 @@ source: | 'office.com', 'teams-events.com' ) - - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( From f8cd0f0e5ac62aa33e134ef30f33d4a8844fa08c Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:21:25 -0400 Subject: [PATCH 21/23] Update impersonation_recipient_domain.yml --- detection-rules/impersonation_recipient_domain.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detection-rules/impersonation_recipient_domain.yml b/detection-rules/impersonation_recipient_domain.yml index a28324c7734..89a05768ac4 100644 --- a/detection-rules/impersonation_recipient_domain.yml +++ b/detection-rules/impersonation_recipient_domain.yml @@ -32,7 +32,6 @@ source: | and all(recipients.to, .email.email != sender.email.email) - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( From 2ab25e45bb516ed6d5410885691231a532627463 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:22:20 -0400 Subject: [PATCH 22/23] Update impersonation_spotify.yml --- detection-rules/impersonation_spotify.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detection-rules/impersonation_spotify.yml b/detection-rules/impersonation_spotify.yml index 65d576c0018..c1fe24ce78d 100644 --- a/detection-rules/impersonation_spotify.yml +++ b/detection-rules/impersonation_spotify.yml @@ -20,7 +20,6 @@ source: | 'anchor.fm' ) and sender.email.domain.domain not in~ ('privaterelay.appleid.com') - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( From db1cd08b64044567a05a8b4000a74b52ff9b2e1a Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 4 Oct 2023 18:36:24 -0400 Subject: [PATCH 23/23] Removing FTS//Unsolicited Comments --- ...achment_pdf_with_low_reputation_link_to_suspicious_files.yml | 1 - .../attachment_pdf_with_low_reputation_link_to_zip_file.yml | 1 - detection-rules/attachment_qr_code_suspicious_components.yml | 2 -- detection-rules/attachment_svg_embedded_js.yml | 2 -- detection-rules/body_business_email_compromise_unsolicited.yml | 2 -- detection-rules/impersonation_amazon_suspicious_text.yml | 1 - detection-rules/impersonation_docusign.yml | 1 - detection-rules/impersonation_employee_subject.yml | 1 - detection-rules/impersonation_finra.yml | 2 -- detection-rules/impersonation_paypal.yml | 2 -- detection-rules/impersonation_sublime_security.yml | 1 - detection-rules/impersonation_vip_urgent_request.yml | 1 - .../link_credential_phishing_intent_and_other_indicators.yml | 2 -- detection-rules/link_credential_phishing_secure_message.yml | 2 -- ...nk_credential_phishing_suspicious_sender_tld_and_signals.yml | 1 - detection-rules/link_download_disk_image_in_encrypted_zip.yml | 1 - detection-rules/link_download_suspicious_file.yml | 1 - detection-rules/link_fake_fax_low_reputation.yml | 2 -- detection-rules/link_google_apps_script_macro.yml | 1 - detection-rules/link_html_smuggling_with_adobe_branding.yml | 1 - .../link_html_smuggling_with_google_drive_branding.yml | 1 - .../link_invoice_fake_customer_service_freemail_sender.yml | 1 - detection-rules/link_ipfs_phishing.yml | 1 - detection-rules/link_login_or_captcha.yml | 2 -- detection-rules/link_microsoft_device_code_phish.yml | 2 -- .../link_microsoft_impersonation_using_hosted_png.yml | 2 -- detection-rules/link_notion_file_share.yml | 2 -- detection-rules/link_qr_code_suspicious_language_fts.yml | 1 - .../link_suspicious_language_undisclosed_recipients.yml | 1 - detection-rules/mass_campaign_recipient_address_new_sender.yml | 2 -- .../spam_campaign_excessive_display_text_with_keywords.yml | 1 - detection-rules/spam_new_domain_emojis.yml | 2 -- detection-rules/spam_url_shortener_emojis.yml | 2 -- detection-rules/vip_impersonation_attack_surface_reduction.yml | 2 -- 34 files changed, 50 deletions(-) diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml index 2f88a8ece88..1b322cbc3a6 100644 --- a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml +++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml @@ -17,7 +17,6 @@ source: | ) ) ) - // unsolicited and ( not profile.by_sender().solicited or ( diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml index 14fea15e6bd..d7e2cc43fe0 100644 --- a/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml +++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml @@ -18,7 +18,6 @@ source: | ) ) ) - // unsolicited and ( not profile.by_sender().solicited or ( diff --git a/detection-rules/attachment_qr_code_suspicious_components.yml b/detection-rules/attachment_qr_code_suspicious_components.yml index bb2a94dfca4..c081611dfd6 100644 --- a/detection-rules/attachment_qr_code_suspicious_components.yml +++ b/detection-rules/attachment_qr_code_suspicious_components.yml @@ -55,8 +55,6 @@ source: | ) ) ) - - // first time sender and ( ( sender.email.domain.root_domain in $free_email_providers diff --git a/detection-rules/attachment_svg_embedded_js.yml b/detection-rules/attachment_svg_embedded_js.yml index 885527d09da..1bb935303aa 100644 --- a/detection-rules/attachment_svg_embedded_js.yml +++ b/detection-rules/attachment_svg_embedded_js.yml @@ -21,8 +21,6 @@ source: | and any(.scan.strings.strings, strings.icontains(., "CDATA")) ) ) - - // unsolicited and ( not profile.by_sender().solicited or ( diff --git a/detection-rules/body_business_email_compromise_unsolicited.yml b/detection-rules/body_business_email_compromise_unsolicited.yml index 247f22a967a..2eb2383c0c6 100644 --- a/detection-rules/body_business_email_compromise_unsolicited.yml +++ b/detection-rules/body_business_email_compromise_unsolicited.yml @@ -42,8 +42,6 @@ source: | ) ) ) - - // unsolicited and ( not profile.by_sender().solicited or ( diff --git a/detection-rules/impersonation_amazon_suspicious_text.yml b/detection-rules/impersonation_amazon_suspicious_text.yml index 617dce23d85..e2c7744ad7e 100644 --- a/detection-rules/impersonation_amazon_suspicious_text.yml +++ b/detection-rules/impersonation_amazon_suspicious_text.yml @@ -33,7 +33,6 @@ source: | ) ) ) - // unsolicited and ( not profile.by_sender().solicited or ( diff --git a/detection-rules/impersonation_docusign.yml b/detection-rules/impersonation_docusign.yml index 695cc52220f..cfb1539a93b 100644 --- a/detection-rules/impersonation_docusign.yml +++ b/detection-rules/impersonation_docusign.yml @@ -51,7 +51,6 @@ source: | ) and strings.contains(sender.display_name, "via") ) - // unsolicited and ( not profile.by_sender().solicited or ( diff --git a/detection-rules/impersonation_employee_subject.yml b/detection-rules/impersonation_employee_subject.yml index a0ea7a09175..7704a421d80 100644 --- a/detection-rules/impersonation_employee_subject.yml +++ b/detection-rules/impersonation_employee_subject.yml @@ -15,7 +15,6 @@ source: | any(ml.nlu_classifier(.).intents, .name == "bec" and .confidence in ("medium", "high")) ) - // unsolicited and ( not profile.by_sender().solicited or ( diff --git a/detection-rules/impersonation_finra.yml b/detection-rules/impersonation_finra.yml index 26287c89588..65c10058643 100644 --- a/detection-rules/impersonation_finra.yml +++ b/detection-rules/impersonation_finra.yml @@ -12,8 +12,6 @@ source: | or strings.ilevenshtein(sender.email.domain.sld, 'finra') <= 1 ) and sender.email.domain.root_domain not in~ ('finra.org', 'finrax.com') - - // unsolicited and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/impersonation_paypal.yml b/detection-rules/impersonation_paypal.yml index beb8c24b30c..dfb3d3f7e8e 100644 --- a/detection-rules/impersonation_paypal.yml +++ b/detection-rules/impersonation_paypal.yml @@ -52,8 +52,6 @@ source: | 'paypal-prepaid.com', 'xoom.com' ) - - // unsolicited and ( not profile.by_sender().solicited or ( diff --git a/detection-rules/impersonation_sublime_security.yml b/detection-rules/impersonation_sublime_security.yml index 9d12ca5e34a..e69db5c1101 100644 --- a/detection-rules/impersonation_sublime_security.yml +++ b/detection-rules/impersonation_sublime_security.yml @@ -12,7 +12,6 @@ source: | or strings.ilevenshtein(sender.email.domain.domain, 'sublimesecurity.com') <= 2 ) and sender.email.domain.domain != 'sublimesecurity.com' - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/impersonation_vip_urgent_request.yml b/detection-rules/impersonation_vip_urgent_request.yml index 870eb7f67c4..13f1a9ab7a9 100644 --- a/detection-rules/impersonation_vip_urgent_request.yml +++ b/detection-rules/impersonation_vip_urgent_request.yml @@ -15,7 +15,6 @@ source: | and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request") ) ) - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml index 497d74f5518..a9ecc3b8de4 100644 --- a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml +++ b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml @@ -296,8 +296,6 @@ source: | // doesn't match any links in the body or all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain) ) - - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/link_credential_phishing_secure_message.yml b/detection-rules/link_credential_phishing_secure_message.yml index 10eafabf990..1960d5ee9e5 100644 --- a/detection-rules/link_credential_phishing_secure_message.yml +++ b/detection-rules/link_credential_phishing_secure_message.yml @@ -29,8 +29,6 @@ source: | // Negate known secure mailer(s) and not all(body.links, .href_url.domain.root_domain in ("mimecast.com")) ) - - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml b/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml index 2a2b8092351..a0019a6fe00 100644 --- a/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml +++ b/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml @@ -44,7 +44,6 @@ source: | any(recipients.to, strings.icontains(subject.subject, .email.email)), ) - // unsolicited and ( not profile.by_sender().solicited or ( diff --git a/detection-rules/link_download_disk_image_in_encrypted_zip.yml b/detection-rules/link_download_disk_image_in_encrypted_zip.yml index fa5e007caf4..264ebacb2bc 100644 --- a/detection-rules/link_download_disk_image_in_encrypted_zip.yml +++ b/detection-rules/link_download_disk_image_in_encrypted_zip.yml @@ -24,7 +24,6 @@ source: | ) ) ) - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/link_download_suspicious_file.yml b/detection-rules/link_download_suspicious_file.yml index 51c6849e166..367753b3220 100644 --- a/detection-rules/link_download_suspicious_file.yml +++ b/detection-rules/link_download_suspicious_file.yml @@ -33,7 +33,6 @@ source: | ) ) ) - // unsolicited and ( not profile.by_sender().solicited or ( diff --git a/detection-rules/link_fake_fax_low_reputation.yml b/detection-rules/link_fake_fax_low_reputation.yml index 785682ca5a5..f2654141930 100644 --- a/detection-rules/link_fake_fax_low_reputation.yml +++ b/detection-rules/link_fake_fax_low_reputation.yml @@ -43,8 +43,6 @@ source: | ) ) ) - - // first time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/link_google_apps_script_macro.yml b/detection-rules/link_google_apps_script_macro.yml index 8706c6465c4..a71f3ae38bb 100644 --- a/detection-rules/link_google_apps_script_macro.yml +++ b/detection-rules/link_google_apps_script_macro.yml @@ -11,7 +11,6 @@ source: | and any(body.links, .href_url.domain.domain == "script.google.com" and strings.ilike(.href_url.path, "/macros*") ) - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/link_html_smuggling_with_adobe_branding.yml b/detection-rules/link_html_smuggling_with_adobe_branding.yml index 38665d1124a..2a5e63ff55d 100644 --- a/detection-rules/link_html_smuggling_with_adobe_branding.yml +++ b/detection-rules/link_html_smuggling_with_adobe_branding.yml @@ -25,7 +25,6 @@ source: | ) ) ) - // unsolicited and ( not profile.by_sender().solicited or ( diff --git a/detection-rules/link_html_smuggling_with_google_drive_branding.yml b/detection-rules/link_html_smuggling_with_google_drive_branding.yml index 4eada82e9d9..68c8ae319e3 100644 --- a/detection-rules/link_html_smuggling_with_google_drive_branding.yml +++ b/detection-rules/link_html_smuggling_with_google_drive_branding.yml @@ -30,7 +30,6 @@ source: | ) ) ) - // Unsolicited and ( not profile.by_sender().solicited or ( diff --git a/detection-rules/link_invoice_fake_customer_service_freemail_sender.yml b/detection-rules/link_invoice_fake_customer_service_freemail_sender.yml index bd50ed86d42..020199d5b67 100644 --- a/detection-rules/link_invoice_fake_customer_service_freemail_sender.yml +++ b/detection-rules/link_invoice_fake_customer_service_freemail_sender.yml @@ -20,7 +20,6 @@ source: | ) ) ) - // First time sender exclusions are in place to avoid legitimate messages from known freemail senders. and sender.email.email not in $sender_emails attack_types: - "BEC/Fraud" diff --git a/detection-rules/link_ipfs_phishing.yml b/detection-rules/link_ipfs_phishing.yml index 003c0545b0c..84337314f44 100644 --- a/detection-rules/link_ipfs_phishing.yml +++ b/detection-rules/link_ipfs_phishing.yml @@ -31,7 +31,6 @@ source: | // adding negation block for legitimate domains with ipfs in their name and not sender.email.domain.domain in ("shipfsl.com") - // unsolicited and ( not profile.by_sender().solicited or ( diff --git a/detection-rules/link_login_or_captcha.yml b/detection-rules/link_login_or_captcha.yml index cc97fe5df4c..70b12b721a0 100644 --- a/detection-rules/link_login_or_captcha.yml +++ b/detection-rules/link_login_or_captcha.yml @@ -28,8 +28,6 @@ source: | // exclude FP prone senders and sender.email.domain.root_domain not in ("sharepointonline.com") - - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/link_microsoft_device_code_phish.yml b/detection-rules/link_microsoft_device_code_phish.yml index 66a512fb78a..c9e50476872 100644 --- a/detection-rules/link_microsoft_device_code_phish.yml +++ b/detection-rules/link_microsoft_device_code_phish.yml @@ -32,8 +32,6 @@ source: | // A nine character string containing a combination of letters and characters regex.icontains(body.html.display_text, '[\W]([A-Z0-9]{9})[\W]') ) - - // Unsolicited and ( not profile.by_sender().solicited or ( diff --git a/detection-rules/link_microsoft_impersonation_using_hosted_png.yml b/detection-rules/link_microsoft_impersonation_using_hosted_png.yml index 5268ea33c32..330c173024a 100644 --- a/detection-rules/link_microsoft_impersonation_using_hosted_png.yml +++ b/detection-rules/link_microsoft_impersonation_using_hosted_png.yml @@ -32,8 +32,6 @@ source: | // org domain in the subject of the message and any($org_domains, strings.icontains(subject.subject, .)) - - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/link_notion_file_share.yml b/detection-rules/link_notion_file_share.yml index f828857d393..b7a7cd744c2 100644 --- a/detection-rules/link_notion_file_share.yml +++ b/detection-rules/link_notion_file_share.yml @@ -43,8 +43,6 @@ source: | ) ) and sender.email.domain.domain != 'mail.notion.so' - - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml index 60e335cf467..526c001c888 100644 --- a/detection-rules/link_qr_code_suspicious_language_fts.yml +++ b/detection-rules/link_qr_code_suspicious_language_fts.yml @@ -44,7 +44,6 @@ source: | ) ) - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/link_suspicious_language_undisclosed_recipients.yml b/detection-rules/link_suspicious_language_undisclosed_recipients.yml index 714a90ec1d2..b2a20cbb845 100644 --- a/detection-rules/link_suspicious_language_undisclosed_recipients.yml +++ b/detection-rules/link_suspicious_language_undisclosed_recipients.yml @@ -37,7 +37,6 @@ source: | // subject is in all caps and regex.match(subject.subject, "[A-Z ]+") - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/mass_campaign_recipient_address_new_sender.yml b/detection-rules/mass_campaign_recipient_address_new_sender.yml index d0cc7dd5a48..3c6a51ba966 100644 --- a/detection-rules/mass_campaign_recipient_address_new_sender.yml +++ b/detection-rules/mass_campaign_recipient_address_new_sender.yml @@ -15,8 +15,6 @@ source: | // exclude To: Undisclosed recipients:; // since we won't have a valid recipient email and any(recipients.to, .email.domain.valid == true) - - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml b/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml index d28170e03f9..e2f035b548e 100644 --- a/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml +++ b/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml @@ -10,7 +10,6 @@ source: | and length(body.links) > 0 and any(body.links, length(.display_text) > 3000) and any(body.links, regex.icontains(.display_text, '(\bPassword:)', 'Hi.{0,5}Welcome\b')) - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/spam_new_domain_emojis.yml b/detection-rules/spam_new_domain_emojis.yml index 761c940f949..f9f729955b7 100644 --- a/detection-rules/spam_new_domain_emojis.yml +++ b/detection-rules/spam_new_domain_emojis.yml @@ -21,8 +21,6 @@ source: | '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]' ) ) - - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/spam_url_shortener_emojis.yml b/detection-rules/spam_url_shortener_emojis.yml index 51f18a702ce..121f88ea7d0 100644 --- a/detection-rules/spam_url_shortener_emojis.yml +++ b/detection-rules/spam_url_shortener_emojis.yml @@ -24,8 +24,6 @@ source: | '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]' ) ) - - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( diff --git a/detection-rules/vip_impersonation_attack_surface_reduction.yml b/detection-rules/vip_impersonation_attack_surface_reduction.yml index 7a825b14d4a..36971da13ad 100644 --- a/detection-rules/vip_impersonation_attack_surface_reduction.yml +++ b/detection-rules/vip_impersonation_attack_surface_reduction.yml @@ -21,7 +21,6 @@ source: | or sender.display_name != mailbox.display_name ) - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") or ( @@ -30,7 +29,6 @@ source: | ) ) - // unsolicited and ( not profile.by_sender().solicited or (