From 795a79d68f90376c7a99e0cd13a25c522898f5df Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Tue, 3 Oct 2023 10:35:16 -0700
Subject: [PATCH 1/3] New rule: attachment_fake_zoom_installer.yml

---
 .../attachment_fake_zoom_installer.yml        | 62 +++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 detection-rules/attachment_fake_zoom_installer.yml

diff --git a/detection-rules/attachment_fake_zoom_installer.yml b/detection-rules/attachment_fake_zoom_installer.yml
new file mode 100644
index 00000000000..d3545f8c095
--- /dev/null
+++ b/detection-rules/attachment_fake_zoom_installer.yml
@@ -0,0 +1,62 @@
+name: "Attachment: Fake Slack installer"
+description: |
+  HTML attachment contains a Slack logo, request language, and a link to an executable. Observed in the wild.
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    any(attachments,
+        (
+          .file_extension in~ ("html", "htm", "shtml", "dhtml")
+          or .file_type == "html"
+          or .content_type == "text/html"
+        )
+        and any(file.explode(.),
+                any(ml.logo_detect(file.html_screenshot(..)).brands,
+                    .name == "Slack" and .confidence in ("medium", "high")
+                )
+                and any(ml.nlu_classifier(file.parse_html(..).display_text).entities,
+                        .name == "request" and .text =~ "download"
+                )
+                and any(.scan.url.urls,
+                        strings.iends_with(.path, ".exe") and .domain.root_domain not in $org_domains
+                )
+        )
+    )
+    or any(attachments,
+           (.file_extension in~ $file_extensions_common_archives)
+           and any(file.explode(.),
+                   (
+                     .file_extension in~ ("html", "htm", "shtml", "dhtml")
+                     or ..file_type == "html"
+                     or ..content_type == "text/html"
+                   )
+                   and any(ml.logo_detect(file.html_screenshot(..)).brands,
+                           .name == "Slack" and .confidence in ("medium", "high")
+                   )
+                   and any(ml.nlu_classifier(file.parse_html(..).display_text).entities,
+                           .name == "request" and .text =~ "download"
+                   )
+                   and any(.scan.url.urls,
+                           strings.iends_with(.path, ".exe") and .domain.root_domain not in $org_domains
+                   )
+           )
+    )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "HTML smuggling"
+  - "Impersonation: Brand"
+  - "Scripting"
+  - "Social engineering"
+detection_methods:
+  - "Archive analysis"
+  - "Computer Vision"
+  - "File analysis"
+  - "HTML analysis"
+  - "Natural Language Understanding"
+  - "URL analysis"
+id: "cded2d2f-a5ca-5754-9f2a-d6bdf28baab4"

From 3ca3798535706693208f93ae0ccaefabb42ec579 Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Tue, 17 Oct 2023 12:15:06 -0700
Subject: [PATCH 2/3] Update attachment_fake_zoom_installer.yml

---
 detection-rules/attachment_fake_zoom_installer.yml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/detection-rules/attachment_fake_zoom_installer.yml b/detection-rules/attachment_fake_zoom_installer.yml
index d3545f8c095..c78c16a3998 100644
--- a/detection-rules/attachment_fake_zoom_installer.yml
+++ b/detection-rules/attachment_fake_zoom_installer.yml
@@ -1,6 +1,6 @@
-name: "Attachment: Fake Slack installer"
+name: "Attachment: Fake Zoom installer"
 description: |
-  HTML attachment contains a Slack logo, request language, and a link to an executable. Observed in the wild.
+  HTML attachment contains a Zoom logo, request language, and a link to an executable. Observed in the wild.
 type: "rule"
 severity: "high"
 source: |
@@ -14,7 +14,7 @@ source: |
         )
         and any(file.explode(.),
                 any(ml.logo_detect(file.html_screenshot(..)).brands,
-                    .name == "Slack" and .confidence in ("medium", "high")
+                    .name == "Zoom" and .confidence in ("medium", "high")
                 )
                 and any(ml.nlu_classifier(file.parse_html(..).display_text).entities,
                         .name == "request" and .text =~ "download"
@@ -33,7 +33,7 @@ source: |
                      or ..content_type == "text/html"
                    )
                    and any(ml.logo_detect(file.html_screenshot(..)).brands,
-                           .name == "Slack" and .confidence in ("medium", "high")
+                           .name == "Zoom" and .confidence in ("medium", "high")
                    )
                    and any(ml.nlu_classifier(file.parse_html(..).display_text).entities,
                            .name == "request" and .text =~ "download"
@@ -59,4 +59,3 @@ detection_methods:
   - "HTML analysis"
   - "Natural Language Understanding"
   - "URL analysis"
-id: "cded2d2f-a5ca-5754-9f2a-d6bdf28baab4"

From ddb151c77a85fa06cd2770b5b50d60f0dde83a33 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Tue, 17 Oct 2023 19:16:20 +0000
Subject: [PATCH 3/3] Auto add rule ID

---
 detection-rules/attachment_fake_zoom_installer.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/attachment_fake_zoom_installer.yml b/detection-rules/attachment_fake_zoom_installer.yml
index c78c16a3998..68d883807cb 100644
--- a/detection-rules/attachment_fake_zoom_installer.yml
+++ b/detection-rules/attachment_fake_zoom_installer.yml
@@ -59,3 +59,4 @@ detection_methods:
   - "HTML analysis"
   - "Natural Language Understanding"
   - "URL analysis"
+id: "840a12a6-a796-5e73-b975-1d1b5f745aea"