diff --git a/detection-rules/vendor_impersonation_thread_hijack.yml b/detection-rules/vendor_impersonation_thread_hijack.yml new file mode 100644 index 00000000000..f82a191db1e --- /dev/null +++ b/detection-rules/vendor_impersonation_thread_hijack.yml @@ -0,0 +1,56 @@ +name: "Vendor impersonation: Thread hijacking with typosquat domain" +description: "Detects potential thread hijacking where the sender uses a domain similar to known senders, exhibits BEC behavior, and shows signs of compromised thread continuity through domain spoofing or thread manipulation." +type: "rule" +severity: "high" +source: | + type.inbound + and subject.is_reply + and sender.email.domain.root_domain not in $sender_domains + // current sender has not been seen in the thread before + and any(body.previous_threads, + length(regex.iextract(.preamble, '<(?P\S*)>')) > 0 + and any(regex.iextract(.preamble, '<(?P\S*)>'), + strings.parse_email(.named_groups['previous_email']).domain.domain not in $org_domains + ) + ) + and all(body.previous_threads, + all(regex.iextract(.preamble, '<(?P\S*)>'), + strings.parse_email(.named_groups['previous_email']).domain.domain != sender.email.domain.domain + ) + ) + and any($sender_domains, + 0 < strings.ilevenshtein(., sender.email.domain.root_domain) < 3 + ) + and any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "bec" and .confidence != "low" + ) + // risky category + and any(ml.nlu_classifier(body.current_thread.text).topics, + .name in ( + "Financial Communications", + "E-Signature", + "Benefit Enrollment" + ) + and .confidence == "high" + ) + and 1 of ( + not network.whois(sender.email.domain).found, + any(body.previous_threads, strings.icontains(.preamble, sender.display_name)) + ) + and ( + profile.by_sender_domain().prevalence == "new" + or profile.by_sender_domain().days_known < 3 + ) + +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Lookalike domain" + - "Social engineering" + - "Spoofing" +detection_methods: + - "Content analysis" + - "Natural Language Understanding" + - "Sender analysis" + - "Whois" +id: "9c2f38ed-dfc3-5251-aaf1-3d35cf18369e"