Create shipping_chinese_domain.yml (#3607)

Co-authored-by: ID Generator <[email protected]>

Author: aidenmitchell

detection-rules/shipping_chinese_domain.yml

@@ -0,0 +1,34 @@
+name: "Fraudulent order confirmation/shipping notification from Chinese sender domain"
+description: "Detects an order confirmation/shipping notification from a suspicious sender domain based in China. The order may be legitimately placed by the user, but the store is fraudulent and it is unlikely that their order will arrive. Links to these e-commerce sites have been observed in online advertising. We recommend enabling a custom warning banner to alert users and prompt them to contact their bank to recover their funds."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // direct to recipient
+  and length(recipients.to) == 1
+  and length(body.previous_threads) == 0
+  
+  // Known patterns
+  and (sender.display_name is null or sender.email.local_part == "support")
+  and all(headers.reply_to, .email.domain.root_domain == sender.email.domain.root_domain)
+  
+  // Alibaba Cloud nameservers
+  and length(network.whois(sender.email.domain).name_servers) > 0
+  and all(network.whois(sender.email.domain).name_servers,
+          .root_domain == "hichina.com"
+  )
+  
+  // Shipping notification
+  and any(ml.nlu_classifier(body.current_thread.text).topics,
+          .name in ('Shipping and Package', "Order Confirmations")
+  )
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+  - "Whois"
+id: "4392a14e-421e-5e2f-8659-a92d1a6bb1fd"