Skip to content

Commit

Permalink
mark rule false
Browse files Browse the repository at this point in the history
  • Loading branch information
cameron-dunn-sublime committed Oct 2, 2023
1 parent cd5a99e commit 06db83d
Showing 1 changed file with 1 addition and 32 deletions.
33 changes: 1 addition & 32 deletions detection-rules/attachment_docusign_image_suspicious_links.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,38 +3,7 @@ description: "Detects DocuSign phishing emails with no DocuSign links, a DocuSig
type: "rule"
severity: "high"
source: |
type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and any(body.links, not strings.ilike(.href_url.domain.root_domain, "docusign.*"))
and any(attachments,
(
any(ml.logo_detect(.).brands, .name == "DocuSign" and .confidence in ("medium", "high"))
or any(file.explode(.),
strings.ilike(.scan.ocr.raw, "*DocuSign*")
and any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence != "low"
)
)
)
and any(file.explode(.),
regex.icontains(.scan.ocr.raw,
"review document",
"[^d][^o][^c][^u]sign",
"important edocs",
"completed document"
)
)
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
)
)
false
attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down

0 comments on commit 06db83d

Please sign in to comment.