Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sender Profiles: Prevalence and Past behavior #815

Merged
merged 28 commits into from
Oct 4, 2023
Merged

Sender Profiles: Prevalence and Past behavior #815

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
20282ba
Third time is a charm
morriscode Sep 22, 2023
8a0e342
Merge branch 'main' into sender_profiles
morriscode Sep 22, 2023
15d59db
Merge branch 'main' into sender_profiles
cameron-dunn-sublime Sep 26, 2023
cc29319
Updating any_malicious_messages to any_messages_malicious_or_spam
morriscode Sep 26, 2023
aed114f
Merge branch 'main' into sender_profiles
jkamdjou Sep 26, 2023
17574fc
Merge branch 'main' into sender_profiles
morriscode Oct 3, 2023
edbec06
Merge branch 'main' into sender_profiles
cameron-dunn-sublime Oct 4, 2023
0a9cb4c
Update attachment_any_html_new_sender.yml
morriscode Oct 4, 2023
63df918
Update attachment_html_attachment_login_page.yml
morriscode Oct 4, 2023
7fa974b
Update attachment_js_file_execution.yml
morriscode Oct 4, 2023
431199d
Update attachment_mht_embedded_vbscript.yml
morriscode Oct 4, 2023
636f6f2
Update attachment_any_html_unsolicited.yml
morriscode Oct 4, 2023
512f088
Update attachment_eml_cred_theft.yml
morriscode Oct 4, 2023
f1d6b1f
Update attachment_eml_with_html_attachment.yml
morriscode Oct 4, 2023
e399c7b
Update attachment_microsoft_image_lure_qr_code.yml
morriscode Oct 4, 2023
e347c3f
Update attachment_office365_image.yml
morriscode Oct 4, 2023
2795540
Update attachment_pdf_link_to_dmg.yml
morriscode Oct 4, 2023
a5bbd06
Update impersonation_barracuda.yml
morriscode Oct 4, 2023
269217f
Update body_business_email_compromise_new_sender.yml
morriscode Oct 4, 2023
d8ae07d
Update impersonation_dhl.yml
morriscode Oct 4, 2023
c0de6a3
Update headers_replyto_new_domain_nlu_request.yml
morriscode Oct 4, 2023
5a85c00
Update impersonation_employee_urgent_request.yml
morriscode Oct 4, 2023
fa4c1d4
Update link_credential_phishing.yml
morriscode Oct 4, 2023
f43855b
Update impersonation_fake_msg_thread_mismatched_from_freemail_replyto…
morriscode Oct 4, 2023
c80d788
Update impersonation_microsoft.yml
morriscode Oct 4, 2023
f8cd0f0
Update impersonation_recipient_domain.yml
morriscode Oct 4, 2023
2ab25e4
Update impersonation_spotify.yml
morriscode Oct 4, 2023
db1cd08
Removing FTS//Unsolicited Comments
morriscode Oct 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 3 additions & 6 deletions detection-rules/attachment_adobe_image_lure_fts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,10 @@ source: |
)
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
profile.by_sender().prevalence in ("new", "outlier")
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
profile.by_sender().any_malicious_messages
morriscode marked this conversation as resolved.
Show resolved Hide resolved
and not profile.by_sender().any_false_positives
)
)
attack_types:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_any_html_in_archive_unsolicited.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,10 @@ source: |
and any(file.explode(.), .depth > 0 and .file_extension in~ ("html", "htm"))
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
not profile.by_sender().solicited
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
tags:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_any_html_new_sender.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,10 @@ source: |

// first-time sender
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
profile.by_sender().prevalence in ("new", "outlier")
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
tags:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_any_html_unsolicited.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,10 @@ source: |

// unsolicited
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
not profile.by_sender().solicited
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
tags:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_callback_phish_with_img.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,10 @@ severity: "high"
source: |
type.inbound
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
not profile.by_sender().solicited
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
and sender.email.domain.root_domain in $free_email_providers
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_callback_phish_with_pdf.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,10 @@ severity: "high"
source: |
type.inbound
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
not profile.by_sender().solicited
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)

Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_docusign_image_suspicious_links.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,13 +26,10 @@ source: |
)
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
profile.by_sender().prevalence in ("new", "outlier")
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
attack_types:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_dropbox_image_suspicious_links.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,10 @@ source: |
)
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
profile.by_sender().prevalence in ("new", "outlier")
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
attack_types:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_eml_cred_theft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,13 +32,10 @@ source: |

// unsolicited
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
not profile.by_sender().solicited
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
attack_types:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_eml_with_html_attachment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,10 @@ source: |

// unsolicited
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
not profile.by_sender().solicited
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
tags:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,10 @@ source: |
)
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
profile.by_sender().prevalence in ("new", "outlier")
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
tags:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_encrypted_ole_unsolicited.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,10 @@ source: |
and file.oletools(.).indicators.encryption.exists
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
not profile.by_sender().solicited
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
attack_types:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_html_attachment_login_page.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,13 +70,10 @@ source: |
)
// Unsolicited
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
not profile.by_sender().solicited
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
attack_types:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_html_smuggling_double_encoded_zip.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,10 @@ authors:
source: |
type.inbound
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
profile.by_sender().prevalence in ("new", "outlier")
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
and any(attachments,
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_html_smuggling_microsoft_signin.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,10 @@ source: |
)
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
not profile.by_sender().solicited
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
// allow Microsoft domains just to be safe
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_js_file_execution.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,10 @@ source: |
)
// first-time sender
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
profile.by_sender().prevalence in ("new", "outlier")
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
tags:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_malwarebazaar.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,10 @@ source: |
type.inbound
and any(attachments, .sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
profile.by_sender().prevalence in ("new", "outlier")
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
tags:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_mht_embedded_vbscript.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,10 @@ source: |

// unsolicited
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
not profile.by_sender().solicited
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
attack_types:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_microsoft_image_lure_qr_code.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,13 +37,10 @@ source: |
)
// unsolicited
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
not profile.by_sender().solicited
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
attack_types:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_office365_image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,13 +56,10 @@ source: |
)
// unsolicited
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
not profile.by_sender().solicited
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
attack_types:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_office_file_relationship_cred_theft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,10 @@ source: |
)
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
profile.by_sender().prevalence in ("new", "outlier")
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
attack_types:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_pdf_link_to_dmg.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,10 @@ source: |

// first time sender
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
profile.by_sender().prevalence in ("new", "outlier")
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
tags:
Expand Down
9 changes: 3 additions & 6 deletions detection-rules/attachment_pdf_linking_to_password_protected_file.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,10 @@ source: |
)
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
profile.by_sender().prevalence in ("new", "outlier")
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
profile.by_sender().any_malicious_messages
and not profile.by_sender().any_false_positives
)
)
attack_types:
Expand Down
Loading
Loading