-
Notifications
You must be signed in to change notification settings - Fork 53
/
Copy pathimpersonation_recipient_sld_in_sender_local_fts.yml
49 lines (49 loc) · 1.58 KB
/
impersonation_recipient_sld_in_sender_local_fts.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
name: "Impersonation: Recipient SLD in sender's email address local part"
type: "rule"
severity: "low"
description: |
The sender's email address local part contains the recipients SLD,
the sender's domain is not a known org domain, and it's an untrusted sender.
source: |
type.inbound
// check that there's at least 1 sus attachment, link, or body text
and (
length(attachments) > 0
// this must be run in user environments to not flag,
// not the Analyzer
or any(body.links, .href_url.domain.domain not in $org_domains)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name != "benign" and .confidence == "high"
)
)
and (
any(recipients.to,
(
strings.contains(sender.email.local_part, .email.domain.sld)
// checking to ensure no FPs, like "me" in "me.com"
and length(.email.domain.sld) > 3
)
)
)
// negating listservs
and not (
any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
and strings.contains(sender.display_name, "via")
)
and sender.email.domain.root_domain not in $org_domains
and sender.email.domain.root_domain not in ("medallia.com", "icims.com", "workday.com")
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
detection_methods:
- "Header analysis"
- "Sender analysis"
id: "926f3b53-415c-590e-b5f7-a15c6d9e62c2"