From c55cbde1b280b08cabb42cc68fd8aee1a0b951eb Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 17 Oct 2023 11:29:27 -0400 Subject: [PATCH 1/2] New Rule: Advanced Fee Fraud from Freemail or Suspicious TLD --- ...dy_aff_from_freemail_or_suspicious_tld.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 detection-rules/body_aff_from_freemail_or_suspicious_tld.yml diff --git a/detection-rules/body_aff_from_freemail_or_suspicious_tld.yml b/detection-rules/body_aff_from_freemail_or_suspicious_tld.yml new file mode 100644 index 00000000000..592c5fb56e9 --- /dev/null +++ b/detection-rules/body_aff_from_freemail_or_suspicious_tld.yml @@ -0,0 +1,33 @@ +name: "Advanced Fee Fraud (AFF) from Freemail providers or Suspicious TLDs" +description: Advanced Fee Fraud (AFF) is a type of BEC/Fraud involving upfront fees for promised future returns, such as lottery scams, inheritance payouts, and investment opportunities. This rule identifies messages from Freemail domains or suspicious TLDS, including those with suspicious reply-to addresses. It utilizes Natural Language Understanding to detect AFF language in their contents. +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + sender.email.domain.domain in $free_email_providers + or ( + length(headers.reply_to) > 0 + and all(headers.reply_to, + ( + .email.domain.root_domain in $free_email_providers + or .email.domain.tld in $suspicious_tlds + ) + and .email.email != sender.email.email + ) + ) + or sender.email.domain.tld in $suspicious_tlds + ) + and any(ml.nlu_classifier(body.current_thread.text).tags, + .name == "advance_fee" and .confidence in ("medium", "high") + ) + +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Sender analysis" \ No newline at end of file From edba087c83576aeb603da1051e6ea820622917f1 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Tue, 17 Oct 2023 15:32:24 +0000 Subject: [PATCH 2/2] Auto add rule ID --- detection-rules/body_aff_from_freemail_or_suspicious_tld.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detection-rules/body_aff_from_freemail_or_suspicious_tld.yml b/detection-rules/body_aff_from_freemail_or_suspicious_tld.yml index 592c5fb56e9..af82b1552f6 100644 --- a/detection-rules/body_aff_from_freemail_or_suspicious_tld.yml +++ b/detection-rules/body_aff_from_freemail_or_suspicious_tld.yml @@ -30,4 +30,5 @@ detection_methods: - "Content analysis" - "Header analysis" - "Natural Language Understanding" - - "Sender analysis" \ No newline at end of file + - "Sender analysis" +id: "7186aacb-4c0d-5969-91f2-8339268d3cd1"