diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml index cf55796a50b..e86164b9aae 100644 --- a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml +++ b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml @@ -4,557 +4,7 @@ description: | type: "rule" severity: "medium" source: | - type.inbound - and ( - regex.icontains(subject.subject, - "termination.*notice", - "38417", - ":completed", - "[il1]{2}mit.*ma[il1]{2} ?bo?x", - "[il][il][il]egai[ -]", - "[li][li][li]ega[li] attempt", - "[ng]-?[io]n .*block", - "[ng]-?[io]n .*cancel", - "[ng]-?[io]n .*deactiv", - "[ng]-?[io]n .*disabl", - "action.*required", - "abandon.*package", - "about.your.account", - "acc(ou)?n?t (is )?on ho[li]d", - "acc(ou)?n?t.*terminat", - "acc(oun)?t.*[il1]{2}mitation", - "access.*limitation", - "account (will be )?block", - "account.*de-?activat", - "account.*locked", - "account.*re-verification", - "account.*security", - "account.*suspension", - "account.has.expired", - "account.will.be.blocked", - "account v[il]o[li]at", - "activity.*acc(oun)?t", - "almost.full", - "app[li]e.[il]d", - "authenticate.*account", - "been.*suspend", - "crediential.*notif", - "clos.*of.*account.*processed", - "confirm.your.account", - "courier.*able", - "crediential.*notif", - "deactivation.*in.*progress", - "delivery.*attempt.*failed", - "disconnection.*notice", - "document.received", - "documented.*shared.*with.*you", - "dropbox.*document", - "e-?ma[il1]+ .{010}suspen", - "e-?ma[il1]{1} user", - "e-?ma[il1]{2} acc", - "e-?ma[il1]{2} preview", - "e-?ma[il1]{2}.*up.?grade", - "e.?ma[il1]{2}.*server", - "e.?ma[il1]{2}.*suspend", - "email.update", - "faxed you", - "fraud(ulent)?.*charge", - "from.helpdesk", - "fu[il1]{2}.*ma[il1]+[ -]?box", - "has.been.*suspended", - "has.been.limited", - "have.locked", - "he[li]p ?desk upgrade", - "heipdesk", - "i[il]iega[il]", - "ii[il]ega[il]", - "incoming e?mail", - "incoming.*fax", - "lock.*security", - "ma[il1]{1}[ -]?box.*quo", - "ma[il1]{2}[ -]?box.*fu[il1]", - "ma[il1]{2}box.*[il1]{2}mit", - "ma[il1]{2}box stor", - "mail on.?hold", - "mail.*box.*migration", - "mail.*de-?activat", - "mail.update.required", - "mails.*pending", - "messages.*pending", - "missed.*shipping.*notification", - "missed.shipment.notification", - "must.update.your.account", - "new [sl][io]g?[nig][ -]?in from", - "new voice ?-?mail", - "notifications.*pending", - "office.*3.*6.*5.*suspend", - "office365", - "on google docs with you", - "online doc", - "password.*compromised", - "(?:payroll|salary|bonus).*Distribution", - "periodic maintenance", - "potential(ly)? unauthorized", - "refund not approved", - "report", - "revised.*policy", - "scam", - "scanned.?invoice", - "secured?.update", - "security breach", - "securlty", - "signed.*delivery", - "status of your .{314}? ?delivery", - "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty", - "suspicious.*sign.*[io]n", - "suspicious.activit", - "temporar(il)?y deactivate", - "temporar[il1]{2}y disab[li]ed", - "temporarily.*lock", - "un-?usua[li].activity", - "unable.*deliver", - "unauthorized.*activit", - "unauthorized.device", - "undelivered message", - "unread.*doc", - "unusual.activity", - "(?:unrecognized|Unusual|suspicious|unknown) (?:log|sign).?[io]n attempt", - "upgrade.*account", - "upgrade.notice", - "urgent message", - "urgent.verification", - "v[il1]o[li1]at[il1]on security", - "va[il1]{1}date.*ma[il1]{2}[ -]?box", - "verification ?-?require", - "verification( )?-?need", - "verify.your?.account", - "web ?-?ma[il1]{2}", - "web[ -]?ma[il1]{2}", - "will.be.suspended", - "your (customer )?account .as", - "your.office.365", - "your.online.access", - "de.activation", - // https://github.com/sublime-security/static-files/blob/master/suspicious_subjects.txt - "account has been limited", - "action required", - "almost full", - "apd notifi cation", - "are you at your desk", - "are you available", - "attached file to docusign", - "banking is temporarily unavailable", - "bankofamerica", - "closing statement invoice", - "completed: docusign", - "de-activation of", - "delivery attempt", - "delivery stopped for shipment", - "detected suspicious", - "detected suspicious actvity", - "docu sign", - "document for you", - "document has been sent to you via docusign", - "document is ready for signature", - "docusign", - "encrypted message", - "failed delivery", - "fedex tracking", - "file was shared", - "freefax", - "fwd: due invoice paid", - "has shared", - "inbox is full", - "invitation to comment", - "invitation to edit", - "invoice due", - "left you a message", - "message from", - "new message", - "new voicemail", - "on desk", - "out of space", - "password reset", - "payment status", - "pay notification", - "quick reply", - "re: w-2", - "required", - "required: completed docusign", - "remittance", - "ringcentral", - "scanned image", - "secured files", - "secured pdf", - "security alert", - "new sign-in", - "new sign in", - "sign-in attempt", - "sign in attempt", - "staff review", - "suspicious activity", - "unrecognized login attempt", - "unusual signin", - "upgrade immediately", - "urgent", - "wants to share", - "w2", - "you have notifications pending", - "your account", - "your amazon order", - "your document settlement", - "your order with amazon", - "your password has been compromised", - ) - or ( - regex.icontains(subject.subject, 'account.has.been') - and not regex.icontains(subject.subject, 'account.has.been.*created') - ) - or ( - regex.icontains(sender.display_name, - "Admin", - "Administrator", - "Alert", - "Assistant", - "Authenticat(or|ion)", - "Billing", - "Benefits", - "Bonus", - "CEO", - "CFO", - "CIO", - "CTO", - "Chairman", - "Claim", - "Confirm", - "Cpanel Mail", - "Critical", - "Customer Service", - "Deal", - "Discount", - "Director", - "Exclusive", - "Executive", - "Fax", - "Free", - "Gift", - '\bHR\b', - "Helpdesk", - "Human Resources", - "Immediate", - "Important", - "Info", - "Information", - "Invoice", - '\bIT\b', - '\bLegal\b', - "Lottery", - "Management", - "Manager", - "Member Services", - "Notification", - "Offer", - "Official Communication", - "Operations", - "Order", - "Partner", - "Payment", - "Payroll", - "Postmaster", - "President", - "Premium", - "Prize", - "Receipt", - "Refund", - "Registrar", - "Required", - "Reward", - "Sales", - "Secretary", - "Security", - "Server", - "Service", - "Storage", - "Support", - "Sweepstakes", - "System", - "Tax", - "Tech Support", - "Update", - "Upgrade", - "Urgent", - "Validate", - "Verify", - "VIP", - "Webmaster", - "Winner", - ) - // add negation for common FPs in the sender display_name - and not strings.icontains(sender.display_name, "service bulletin") - and not strings.icontains(sender.display_name, "automotive service") - ) - ) - and ( - 4 of ( - any(recipients.to, - .email.domain.valid - and ( - strings.icontains(body.current_thread.text, .email.email) - or strings.icontains(body.current_thread.text, .email.local_part) - ) - ), - any(ml.nlu_classifier(body.current_thread.text).intents, - .name == "cred_theft" and .confidence in ("medium", "high") - ), - any(ml.nlu_classifier(body.current_thread.text).entities, - .name == "request" - ), - // recipient email address base64 encoded in link - any(body.links, - any(recipients.to, - any(beta.scan_base64(..href_url.url, - ignore_padding=true, - format="url" - ), - strings.icontains(., ..email.email) - ) - ) - ), - ( - // freemail providers should never be sending this type of email - sender.email.domain.domain in $free_email_providers - - // if not freemail, it's suspicious if the sender's root domain - // doesn't match any links in the body - or all(body.links, - .href_url.domain.root_domain != sender.email.domain.root_domain - and ( - .href_url.domain.root_domain not in $org_domains - // ignore recipient email addresses in the body in relation to this check - or ( - .href_url.domain.root_domain in $org_domains - and any(recipients.to, - strings.icount(body.current_thread.text, .email.email) == strings.icount(body.current_thread.text, - .email.domain.domain - ) - ) - ) - ) - ) - - // bulk mailers should also never be sending this type of email - or all(filter(body.links, - .href_url.domain.domain not in ( - "aka.ms", - "mimecast.com", - "mimecastprotect.com", - "cisco.com" - ) - ), - .href_url.domain.root_domain in $bulk_mailer_url_root_domains - ) - ), - // in case it's embedded in an image attachment - // note: don't use message_screenshot() because it's not limited to current_thread - // and may FP - any(attachments, - .file_type in $file_types_images - and any(file.explode(.), - any(ml.nlu_classifier(.scan.ocr.raw).intents, - .name == "cred_theft" and .confidence == "high" - ) - ) - ), - strings.contains(body.current_thread.text, - "Your mailbox can no longer send or receive messages." - ), - any(body.links, - strings.icontains(.href_url.query_params, 'redirect') - or any(.href_url.rewrite.encoders, - strings.icontains(., "open_redirect") - ) - ), - // multiple entities displaying urgency - length(filter(ml.nlu_classifier(body.current_thread.text).entities, - .name == "urgency" - ) - ) >= 2 - // and any body links - and any(body.links, - // display text contains a request - any(ml.nlu_classifier(.display_text).entities, .name == "request") - ), - any(body.links, - // display text contains a request - ( - any(ml.nlu_classifier(.display_text).entities, .name == "request") - or regex.match(.display_text, '^[^a-z]+$') - ) - and ( - .href_url.domain.domain in $url_shorteners - or .href_url.domain.domain in $social_landing_hosts - or .href_url.domain.root_domain in $url_shorteners - or .href_url.domain.root_domain in $social_landing_hosts - or .href_url.domain.domain in $free_file_hosts - or ( - .href_url.domain.root_domain in ( - "mimecast.com", - "mimecastprotect.com" - ) - and any(.href_url.query_params_decoded['domain'], - strings.parse_url(strings.concat("https://", .)).domain.domain in $url_shorteners - or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $url_shorteners - or strings.parse_url(strings.concat("https://", .)).domain.domain in $free_file_hosts - or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $free_subdomain_hosts - or strings.parse_url(strings.concat("https://", .)).domain.domain in $social_landing_hosts - or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $social_landing_hosts - ) - ) - ) - ), - // common greetings via email.local_part - any(recipients.to, - length(.email.local_part) > 2 - and - // use count to ensure the email address is not part of a disclaimer - strings.icount(body.current_thread.text, .email.local_part) > - // sum allows us to add more logic as needed - strings.icount(body.current_thread.text, - strings.concat('was sent to ', .email.email) - ) + strings.icount(body.current_thread.text, - strings.concat('intended for ', .email.email) - ) - ) - ) - or ( - ( - // recipient's email address is in the body - any(recipients.to, - // use count to ensure the email address is not part of a disclaimer - strings.icount(body.current_thread.text, .email.email) > - // sum allows us to add more logic as needed - sum([ - strings.icount(body.current_thread.text, - strings.concat('was sent to ', .email.email) - ), - strings.icount(body.current_thread.text, - strings.concat('intended for ', .email.email) - ) - ] - ) - ) - // suspicious display text - or ( - length(body.links) == 1 - and all(body.links, - strings.ilike(.display_text, "*click here*", "*password*") - ) - ) - ) - // link leads to a suspicious TLD or contains an IP address or contains multiple redirects - and any(body.links, - ( - ml.link_analysis(., mode="aggressive").effective_url.domain.tld in $suspicious_tlds - or length(distinct(map(ml.link_analysis(., mode="aggressive").redirect_history, - .domain.root_domain - ) - ) - ) >= 4 - or ( - any(body.ips, - any(body.links, strings.icontains(.href_url.url, ..ip)) - ) - ) - ) - ) - ) - ) - // exclude Google shared calendar messages - // Subject: " has shared a calendar with you" - and headers.return_path.domain.domain != "calendar-server.bounces.google.com" - // negate calendar invites - and not ( - 0 < length(attachments) < 3 - and all(attachments, .content_type in ("text/calendar", "application/ics")) - ) - // negate replies - and ( - ( - ( - length(headers.references) > 0 - or not any(headers.hops, - any(.fields, strings.ilike(.name, "In-Reply-To")) - ) - ) - and not ( - ( - strings.istarts_with(subject.subject, "RE:") - or strings.istarts_with(subject.subject, "R:") - or strings.istarts_with(subject.subject, "ODG:") - or strings.istarts_with(subject.subject, "答复:") - or strings.istarts_with(subject.subject, "AW:") - or strings.istarts_with(subject.subject, "TR:") - or strings.istarts_with(subject.subject, "FWD:") - or regex.icontains(subject.subject, - '^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:' - ) - ) - ) - ) - or length(headers.references) == 0 - ) - // bounce-back and DMARC report negations - and not ( - strings.like(sender.email.local_part, - "*postmaster*", - "*mailer-daemon*", - "*administrator*" - ) - and ( - any(attachments, - .content_type in ( - "message/rfc822", - "message/delivery-status", - "text/calendar" - ) - ) - or ( - length(attachments) == 1 - and all(attachments, .content_type in ("application/gzip")) - and regex.icontains(subject.subject, - '(?:(Report\sDomain).*(Submitter).*(Report-ID))' - ) - ) - ) - ) - and ( - ( - profile.by_sender().prevalence != "common" - and not profile.by_sender_email().solicited - ) - or ( - profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_messages_benign - ) - ) - // negate highly trusted sender domains unless they fail DMARC authentication - and ( - ( - sender.email.domain.root_domain in $high_trust_sender_root_domains - and not headers.auth_summary.dmarc.pass - ) - or sender.email.domain.root_domain not in $high_trust_sender_root_domains - ) - // FP avoidance - and not any(beta.ml_topic(body.current_thread.text).topics, - .name in ( - "Advertising and Promotions", - "Political Mail", - "News and Current Events", - "Newsletters and Digests" - ) and .confidence == "high" - ) - + false attack_types: - "Credential Phishing" tactics_and_techniques: