Merge branch 'main' into morriscode-gitgudnoob

morriscode · web-flow · commit c69b291f0b12 · 2023-09-06T11:38:28.000-04:00
diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml
@@ -1,7 +1,7 @@
 name: "Attachment: DocuSign image lure with no DocuSign domains in links"
 description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSign logo attached, from a first-time sender."
 type: "rule"
-severity: "medium"
+severity: "high"
 source: |
   type.inbound
   and length(filter(attachments, .file_type not in $file_types_images)) == 0
diff --git a/detection-rules/attachment_eml_cred_theft.yml b/detection-rules/attachment_eml_cred_theft.yml
@@ -10,11 +10,13 @@ source: |
           .content_type == "message/rfc822"
           and any(file.explode(.),
                   any(.scan.url.urls,
-                      .domain.root_domain in $free_subdomain_hosts
-                      or .domain.root_domain in ("sharepoint.com")
-                      or .domain.root_domain not in $tranco_1m
+                      (
+                        .domain.root_domain in $free_subdomain_hosts
+                        or .domain.root_domain in ("sharepoint.com")
+                        or .domain.root_domain not in $tranco_1m
+                      )
+                      and beta.linkanalysis(.).credphish.disposition == "phishing"
                   )
-                  and any(.scan.url.urls, beta.linkanalysis(.).credphish.disposition == "phishing")
           )
   )
 
diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml
@@ -2,7 +2,7 @@ name: "Brand impersonation: Microsoft (QR code)"
 description: |
   Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
 type: "rule"
-severity: "medium"
+severity: "high"
 source: |
   type.inbound
   and (
diff --git a/detection-rules/attachment_office365_image.yml b/detection-rules/attachment_office365_image.yml
@@ -2,7 +2,7 @@ name: "Attachment: Office365 image (unsolicited)"
 description: |
   Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
 type: "rule"
-severity: "medium"
+severity: "high"
 source: |
   type.inbound
   and length(filter(attachments, .file_type not in $file_types_images)) == 0
diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml
@@ -12,7 +12,7 @@ source: |
           .file_extension == "pdf"
           and any(file.explode(.),
                   any(.scan.pdf.urls,
-                      regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)')
+                      regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)\b')
                       and .domain.root_domain not in $tranco_1m
                   )
           )
diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml
@@ -14,7 +14,7 @@ source: |
   )
   and (
     regex.icontains(sender.display_name,
-                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com)'
+                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com)|ᵃ⤻ᶻ'
     )
     or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
     or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
diff --git a/detection-rules/impersonation_fedex.yml b/detection-rules/impersonation_fedex.yml
@@ -13,7 +13,7 @@ source: |
     or strings.ilike(sender.email.domain.domain, '*fedex*')
   )
   // sedex.com is not affiliated with FedEx, but is an apparent FP
-  and sender.email.domain.root_domain not in~ ('fedex.com', 'sedex.com')
+  and sender.email.domain.root_domain not in~ ('fedex.com', 'sedex.com', 'myworkday.com')
   and sender.email.email not in $sender_emails
 attack_types:
   - "Credential Phishing"
diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml
@@ -9,16 +9,13 @@ source: |
                       '(\bh\W?r\W?\b|human resources|hr depart(ment)?|employee relations)'
   )
   and (length(body.links) > 0 or length(attachments) > 0)
-
+  
   // Request and Urgency 
-  and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "request")
-  and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency")
+  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
+  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
   and (
-    (
-      length(ml.nlu_classifier(body.html.inner_text).intents) > 0
-      and any(ml.nlu_classifier(body.html.inner_text).intents, .name != "benign")
-    )
-    or length(ml.nlu_classifier(body.html.inner_text).intents) == 0
+    any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
+    and not length(ml.nlu_classifier(body.current_thread.text).intents) == 0
   )
   and (
     (
diff --git a/detection-rules/impersonation_paypal.yml b/detection-rules/impersonation_paypal.yml
@@ -49,6 +49,7 @@ source: |
     'paypalcorp.com',
     'paypal-customerfeedback.com',
     'paypal-creditsurvey.com',
+    'paypal-prepaid.com',
     'xoom.com'
   )
 
diff --git a/detection-rules/impersonation_zoom_strict.yml b/detection-rules/impersonation_zoom_strict.yml
@@ -13,7 +13,7 @@ source: |
     or sender.display_name =~ 'zoom video communications, inc.'
     or sender.display_name =~ 'zoom call'
   )
-  and sender.email.domain.root_domain not in ('zoom.us', 'zuora.com')
+  and sender.email.domain.root_domain not in ('zoom.us', 'zuora.com','zoomgov.com')
   and (
     // if this comes from a free email provider,
     // flag if org has never sent an email to sender's email before
diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml
@@ -36,6 +36,7 @@ source: |
       any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld))
     ),
   )
+  and sender.email.domain.root_domain not in ("magicjack.com")
   and (
     (
       sender.email.domain.root_domain in $free_email_providers
diff --git a/detection-rules/link_google_amp_suspicious_indicators.yml b/detection-rules/link_google_amp_suspicious_indicators.yml
@@ -10,10 +10,10 @@ severity: "medium"
 source: |
   type.inbound
 
-  // Any body links with a domain SLD of 'google' and a path starting with /amp/s
+  // Any body links with a domain SLD of 'google' and a path starting with /amp
   and any(body.links,
           .href_url.domain.sld == "google"
-          and strings.starts_with(.href_url.path, "/amp/s/")
+          and strings.starts_with(.href_url.path, "/amp/")
 
           // Brand Logo detected that is not google
           and (
diff --git a/detection-rules/link_html_smuggling_with_google_drive_branding.yml b/detection-rules/link_html_smuggling_with_google_drive_branding.yml
@@ -8,6 +8,7 @@ references:
 severity: "high"
 source: |
   type.inbound
+  and length(body.links) < 10
   and any(body.links,
           // This isn't a Google Drive link
           .href_url.domain.root_domain != "google.com"
diff --git a/detection-rules/spam_new_domain_emojis.yml b/detection-rules/spam_new_domain_emojis.yml
@@ -9,6 +9,9 @@ source: |
   // sender is a freemail
   and sender.email.domain.root_domain in $free_email_providers
 
+  // linked domain is less than 10 days old
+  and any(body.links, beta.whois(.href_url.domain).days_old < 10)
+
   // has an emoji in the subject or body
   and (
     regex.contains(body.plain.raw,

Original file line number	Diff line number	Diff line change
`@@ -10,11 +10,13 @@ source: \|`
`10`	`10`	`.content_type == "message/rfc822"`
`11`	`11`	`and any(file.explode(.),`
`12`	`12`	`any(.scan.url.urls,`
`13`		`- .domain.root_domain in $free_subdomain_hosts`
`14`		`- or .domain.root_domain in ("sharepoint.com")`
`15`		`- or .domain.root_domain not in $tranco_1m`
	`13`	`+ (`
	`14`	`+ .domain.root_domain in $free_subdomain_hosts`
	`15`	`+ or .domain.root_domain in ("sharepoint.com")`
	`16`	`+ or .domain.root_domain not in $tranco_1m`
	`17`	`+ )`
	`18`	`+ and beta.linkanalysis(.).credphish.disposition == "phishing"`
`16`	`19`	`)`
`17`		`- and any(.scan.url.urls, beta.linkanalysis(.).credphish.disposition == "phishing")`
`18`	`20`	`)`
`19`	`21`	`)`
`20`	`22`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ source: \|`
`12`	`12`	`.file_extension == "pdf"`
`13`	`13`	`and any(file.explode(.),`
`14`	`14`	`any(.scan.pdf.urls,`
`15`		`- regex.contains(.path, '\.(?:exe\|cab\|vbs\|ps1\|rar\|iso\|dll\|one\|lnk\|sh)')`
	`15`	`+ regex.contains(.path, '\.(?:exe\|cab\|vbs\|ps1\|rar\|iso\|dll\|one\|lnk\|sh)\b')`
`16`	`16`	`and .domain.root_domain not in $tranco_1m`
`17`	`17`	`)`
`18`	`18`	`)`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ source: \|`
`14`	`14`	`)`
`15`	`15`	`and (`
`16`	`16`	`regex.icontains(sender.display_name,`
`17`		`- '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay\|marketplace\|\.com)'`
	`17`	`+ '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay\|marketplace\|\.com)\|ᵃ⤻ᶻ'`
`18`	`18`	`)`
`19`	`19`	`or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1`
`20`	`20`	`or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ source: \|`
`13`	`13`	`or strings.ilike(sender.email.domain.domain, 'fedex')`
`14`	`14`	`)`
`15`	`15`	`// sedex.com is not affiliated with FedEx, but is an apparent FP`
`16`		`- and sender.email.domain.root_domain not in~ ('fedex.com', 'sedex.com')`
	`16`	`+ and sender.email.domain.root_domain not in~ ('fedex.com', 'sedex.com', 'myworkday.com')`
`17`	`17`	`and sender.email.email not in $sender_emails`
`18`	`18`	`attack_types:`
`19`	`19`	`- "Credential Phishing"`
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ source: \|`
`49`	`49`	`'paypalcorp.com',`
`50`	`50`	`'paypal-customerfeedback.com',`
`51`	`51`	`'paypal-creditsurvey.com',`
	`52`	`+ 'paypal-prepaid.com',`
`52`	`53`	`'xoom.com'`
`53`	`54`	`)`
`54`	`55`