Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial batch of $high_trust_sender negations #877

Merged
merged 6 commits into from
Oct 27, 2023
Merged

Initial batch of $high_trust_sender negations #877

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b51f30d
Initial batch of $high_trust_sender negations
morriscode Oct 25, 2023
1608872
Merge branch 'main' into sam.trusted_senders
morriscode Oct 26, 2023
9933548
Swapping name to match list update
morriscode Oct 26, 2023
48512d5
Update attachment_any_html_new_sender.yml
morriscode Oct 26, 2023
70d775a
Merge branch 'main' into sam.trusted_senders
morriscode Oct 26, 2023
141b21f
Adding missed $
morriscode Oct 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions detection-rules/attachment_any_html_new_sender.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,21 @@ source: |
and not profile.by_sender().any_false_positives
)
)

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

tags:
- "Attack surface reduction"
tactics_and_techniques:
Expand Down
14 changes: 14 additions & 0 deletions detection-rules/attachment_any_html_unsolicited.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,20 @@ source: |
not profile.by_sender().any_false_positives
and not profile.by_sender().solicited
)

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
tags:
- "Attack surface reduction"
tactics_and_techniques:
Expand Down
15 changes: 15 additions & 0 deletions detection-rules/body_business_email_compromise_new_sender.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,21 @@ source: |
and not profile.by_sender().any_false_positives
)
)

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "BEC/Fraud"
tactics_and_techniques:
Expand Down
15 changes: 15 additions & 0 deletions detection-rules/callback_phishing_nlu_body_or_attachments.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,21 @@ source: |
)
)


// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "Callback Phishing"
tactics_and_techniques:
Expand Down
15 changes: 15 additions & 0 deletions detection-rules/impersonation_amazon.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,21 @@ source: |
)
and sender.email.email not in $recipient_emails
and sender.email.domain.domain not in $org_domains

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down
15 changes: 15 additions & 0 deletions detection-rules/impersonation_amex.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,21 @@ source: |
)
and sender.email.domain.domain not in ('accountprotection.microsoft.com')
and sender.email.email not in $recipient_emails

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down
15 changes: 15 additions & 0 deletions detection-rules/impersonation_bank_of_america.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,21 @@ source: |
)
and sender.email.domain.root_domain not in~ ('bankofamerica.com', 'transunion.com', 'bofa.com')
and sender.email.email not in $recipient_emails

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down
15 changes: 15 additions & 0 deletions detection-rules/impersonation_chase.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,21 @@ source: |
and not profile.by_sender().any_false_positives
)
)

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down
14 changes: 14 additions & 0 deletions detection-rules/impersonation_coinbase.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,20 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
tags:
- "Cryptocurrency"
attack_types:
Expand Down
15 changes: 15 additions & 0 deletions detection-rules/impersonation_dhl.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,21 @@ source: |
and not profile.by_sender().any_false_positives
)
)

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down
15 changes: 15 additions & 0 deletions detection-rules/impersonation_dropbox.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,21 @@ source: |
and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*"))
)
and sender.email.email not in $recipient_emails

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down
15 changes: 15 additions & 0 deletions detection-rules/impersonation_employee_urgent_request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,21 @@ source: |
and not profile.by_sender().any_false_positives
)
)

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "BEC/Fraud"
tactics_and_techniques:
Expand Down
15 changes: 15 additions & 0 deletions detection-rules/impersonation_human_resources.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,21 @@ source: |
and not profile.by_sender().any_false_positives
)
)

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "BEC/Fraud"
- "Credential Phishing"
Expand Down
14 changes: 14 additions & 0 deletions detection-rules/impersonation_microsoft.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,20 @@ source: |
)
)

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down
15 changes: 15 additions & 0 deletions detection-rules/impersonation_paypal.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,21 @@ source: |
and not profile.by_sender().any_false_positives
)
)

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down
15 changes: 15 additions & 0 deletions detection-rules/impersonation_spotify.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,21 @@ source: |
and not profile.by_sender().any_false_positives
)
)

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down
14 changes: 14 additions & 0 deletions detection-rules/impersonation_sublime_security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,20 @@ source: |
and not profile.by_sender().any_false_positives
)
)

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down
15 changes: 15 additions & 0 deletions detection-rules/impersonation_ups.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,21 @@ source: |
)
and any(ml.logo_detect(beta.message_screenshot()).brands, .name is not null)
and sender.email.email not in $recipient_emails

// negate highly trusted sender domains unless they fail DMARC authentication
and
(
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down
Loading
Loading