From ce562445f21f0bc6b2c27457c153a7eab59ba7a1 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 3 Nov 2023 11:05:55 -0400 Subject: [PATCH 1/5] New Rule: Suspicious Lookerstudio link --- ...us_lookerstudio_new_unsolicited_sender.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml diff --git a/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml new file mode 100644 index 00000000000..e0cd4c7d627 --- /dev/null +++ b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml @@ -0,0 +1,26 @@ +name: "Suspicious link to lookerstudio from a new and unsolicited sender" +description: "This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender. " +type: "rule" +severity: "" +source: | + type.inbound + and length(body.current_thread.text) < 800 + and regex.icontains(body.current_thread.text, + '(shared.{0,30}with you|View Document)' + ) + and any(body.links, .href_url.domain.domain == "lookerstudio.google.com") + + and ( + profile.by_sender().prevalence in ("new", "outlier") + and not profile.by_sender().solicited + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Sender analysis" + - "URL analysis" From e18c3f27b175234fe502e1f3683b10a1c2697579 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 3 Nov 2023 11:15:45 -0400 Subject: [PATCH 2/5] Update link_suspicious_lookerstudio_new_unsolicited_sender.yml --- .../link_suspicious_lookerstudio_new_unsolicited_sender.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml index e0cd4c7d627..1b460db9768 100644 --- a/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml +++ b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml @@ -1,7 +1,7 @@ name: "Suspicious link to lookerstudio from a new and unsolicited sender" description: "This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender. " type: "rule" -severity: "" +severity: "medium" source: | type.inbound and length(body.current_thread.text) < 800 From 501587108d209e6d138f64ca5726ffb90e6cadf8 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Fri, 3 Nov 2023 15:17:23 +0000 Subject: [PATCH 3/5] Auto add rule ID --- .../link_suspicious_lookerstudio_new_unsolicited_sender.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml index 1b460db9768..ac37f466443 100644 --- a/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml +++ b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml @@ -24,3 +24,4 @@ detection_methods: - "Content analysis" - "Sender analysis" - "URL analysis" +id: "dbb50cb4-171f-532b-b820-906be09d03d6" From fe8827b2d60961d72d60d34efdf16e93f699bf33 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 3 Nov 2023 11:27:11 -0400 Subject: [PATCH 4/5] Update link_suspicious_lookerstudio_new_unsolicited_sender.yml --- .../link_suspicious_lookerstudio_new_unsolicited_sender.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml index ac37f466443..89c5f2bdd83 100644 --- a/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml +++ b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml @@ -1,4 +1,4 @@ -name: "Suspicious link to lookerstudio from a new and unsolicited sender" +name: "Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender" description: "This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender. " type: "rule" severity: "medium" From acec2b7e99c601324e3e420894acac9958648389 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Sun, 5 Nov 2023 23:59:20 -0500 Subject: [PATCH 5/5] Update link_suspicious_lookerstudio_new_unsolicited_sender.yml --- ...picious_lookerstudio_new_unsolicited_sender.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml index 89c5f2bdd83..ea3493d78ea 100644 --- a/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml +++ b/detection-rules/link_suspicious_lookerstudio_new_unsolicited_sender.yml @@ -1,5 +1,5 @@ name: "Suspicious link to Looker Studio (lookerstudio.google.com) from a new and unsolicited sender" -description: "This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender. " +description: "This rule detects messages containing links to lookerstudio with a non standard lookerstudio template from a new and unsolicited sender." type: "rule" severity: "medium" source: | @@ -15,6 +15,18 @@ source: | and not profile.by_sender().solicited ) + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) attack_types: - "Credential Phishing" tactics_and_techniques: