-
Notifications
You must be signed in to change notification settings - Fork 45
/
attachment_callback_phish_via_text_file.yml
88 lines (84 loc) · 3.15 KB
/
attachment_callback_phish_via_text_file.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
name: "Attachment: Callback Phishing solicitation via text file with a large unknown recipient list"
description: "Callback Phishing via text file attachment, with a large number of recipients that are unknown to the organization, and a short body and subject from an unknown sender."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
length(recipients.to) > 10
and length(filter(recipients.to,
.email.domain.domain not in $org_domains
and .email.email not in $recipient_emails
and (
.email.domain.valid
or strings.icontains(.display_name, "undisclosed")
)
)
) >= 10
)
and length(subject.subject) <= 10
// there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
and (
length(body.links) == 0
or length(filter(body.links,
(
.display_text is null
and .display_url.url == sender.email.domain.root_domain
)
or .href_url.domain.domain == "aka.ms"
or network.whois(.display_url.domain).days_old < 30
)
) == length(body.links)
)
and (body.current_thread.text is null or length(body.current_thread.text) < 50)
and 0 < length(attachments) < 4
and any(attachments,
.content_type == "text/plain"
and any(file.explode(.),
any(.scan.strings.strings,
strings.ilike(.,
"*mcafee*",
"*norton*",
"*geek squad*",
"*paypal*",
"*ebay*",
"*symantec*",
"*best buy*",
"*lifelock*",
"*geek total*"
)
and any(..scan.strings.strings,
regex.icontains(.,
'\b\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}\b'
)
)
)
)
)
and profile.by_sender().prevalence != "common"
and not profile.by_sender().solicited
and not profile.by_sender().any_false_positives
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Callback Phishing"
tactics_and_techniques:
- "Evasion"
- "Out of band pivot"
- "Social engineering"
detection_methods:
- "Content analysis"
- "File analysis"
- "Header analysis"
- "Sender analysis"
id: "ca39c83a-b308-532d-894b-528bdaef2748"