From 44c6c0b0d6609d8d17edc386a1dfbb2e23581421 Mon Sep 17 00:00:00 2001 From: Josh Kamdjou Date: Fri, 17 Nov 2023 22:02:28 -0500 Subject: [PATCH 1/2] New rule - Brand impersonation: Sharepoint fake file share --- ...personation_sharepoint_fake_file_share.yml | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 detection-rules/impersonation_sharepoint_fake_file_share.yml diff --git a/detection-rules/impersonation_sharepoint_fake_file_share.yml b/detection-rules/impersonation_sharepoint_fake_file_share.yml new file mode 100644 index 00000000000..68a9788d6fd --- /dev/null +++ b/detection-rules/impersonation_sharepoint_fake_file_share.yml @@ -0,0 +1,64 @@ +name: "Brand impersonation: Sharepoint fake file share" +description: | + This rule detects messages impersonating a Sharepoint file sharing email where no links point to known Microsoft domains. +type: "rule" +severity: "medium" +source: | + type.inbound + + // Sharepoint body content looks like this + and strings.contains(body.current_thread.text, "shared a file with you") + and strings.icontains(subject.subject, "shared") + and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Microsoft") + + // fake Sharepoint shares are easy to identify if there are any links + // that don't point to microsoft[.]com or *.sharepoint[.]com + and not all(body.links, + .href_url.domain.root_domain in ("microsoft.com", "sharepoint.com") + ) + and sender.email.domain.root_domain not in $org_domains + and sender.email.domain.root_domain not in ( + "bing.com", + "microsoft.com", + "microsoftonline.com", + "microsoftsupport.com", + "microsoft365.com", + "office.com", + "onedrive.com", + "sharepointonline.com", + "yammer.com" + ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + and ( + ( + profile.by_sender().prevalence in ("new", "outlier") + and not profile.by_sender().solicited + ) + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +detection_methods: + - "Content analysis" + - "Header analysis" + - "URL analysis" + - "Computer Vision" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" From 28da4a6f50a819b62afa785a52f6481cbbe0042e Mon Sep 17 00:00:00 2001 From: ID Generator Date: Sat, 18 Nov 2023 03:05:18 +0000 Subject: [PATCH 2/2] Auto add rule ID --- detection-rules/impersonation_sharepoint_fake_file_share.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/impersonation_sharepoint_fake_file_share.yml b/detection-rules/impersonation_sharepoint_fake_file_share.yml index 68a9788d6fd..f31d519aff3 100644 --- a/detection-rules/impersonation_sharepoint_fake_file_share.yml +++ b/detection-rules/impersonation_sharepoint_fake_file_share.yml @@ -62,3 +62,4 @@ detection_methods: tactics_and_techniques: - "Impersonation: Brand" - "Social engineering" +id: "ff8b296b-aa0d-5df0-b4d2-0e599b688f6a"