-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update credential_phishing_one_drive_impersonation.yml by @morriscode #2120 Source SHA d42a67e Triggered by @morriscode
- Loading branch information
Sublime Rule Testing Bot
committed
Nov 13, 2024
1 parent
3d4013b
commit 0ca3674
Showing
1 changed file
with
19 additions
and
0 deletions.
There are no files selected for viewing
19 changes: 19 additions & 0 deletions
19
detection-rules/credential_phishing_one_drive_impersonation.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| name: "Credential phishing: Onedrive impersonation" | ||
| description: "This rule detects messages impersonating Microsoft's OneDrive service with medium to high credential theft language in the current thread. The subject is inspected for one drive language, with additional checks for free_subdomain hosted links, additional suspicious subject language or suspicious display text language." | ||
| type: "rule" | ||
| severity: "high" | ||
| source: "type.inbound\n// one drive is found in the sender display name or sender local part\nand (\n (\n regex.icontains(sender.display_name, '[0o]ne\\s?dr[il1]ve')\n or regex.icontains(sender.email.local_part, '[0o]ne\\s?dr[il1]ve')\n or 0 < strings.ilevenshtein(strings.replace_confusables(sender.display_name),\n \"one?drive\"\n ) < 2\n )\n or regex.imatch(body.current_thread.text, '[0o]ne\\s?dr[il1]ve.*')\n // or one drive is in the subject with a freefile host, additional suspicious language, or suspicious display text\n or (\n regex.icontains(strings.replace_confusables(subject.subject),\n '[0o]ne\\s?dr[il1]ve'\n )\n and (\n any(body.links,\n .href_url.domain.root_domain in $free_subdomain_hosts\n and .href_url.domain.subdomain is not null\n and .href_url.domain.subdomain != \"www\"\n )\n or regex.contains(subject.subject, '(shared.{0,30}document)')\n or any(body.links,\n regex.icontains(.display_text,\n \"((view|show|access).(?:report|document)|review doc|view doc|view.attached)\"\n )\n )\n )\n )\n)\n\n// and body language is med/high confidence cred theft\nand any(ml.nlu_classifier(body.current_thread.text).intents,\n .name == \"cred_theft\" and .confidence in (\"medium\", \"high\")\n)\nand length(body.links) < 10\nand sender.email.domain.root_domain not in (\n \"bing.com\",\n \"microsoft.com\",\n \"microsoftonline.com\",\n \"microsoftsupport.com\",\n \"microsoft365.com\",\n \"office.com\",\n \"onedrive.com\",\n \"sharepointonline.com\",\n \"yammer.com\",\n)\n\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and not headers.auth_summary.dmarc.pass\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n\n// excludes docusign senders that contain \"via\" in the display name \nand not (\n any(headers.hops,\n any(.fields,\n .name == \"X-Api-Host\" and strings.ends_with(.value, \"docusign.net\")\n )\n )\n and strings.contains(sender.display_name, \"via\")\n)\nand not profile.by_sender().solicited\nand not profile.by_sender().any_false_positives\n" | ||
| attack_types: | ||
| - "Credential Phishing" | ||
| tactics_and_techniques: | ||
| - "Free subdomain host" | ||
| - "Impersonation: Brand" | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Content analysis" | ||
| - "Header analysis" | ||
| - "Natural Language Understanding" | ||
| - "URL analysis" | ||
| id: "1f990c92-a6d5-5a0b-9462-ac469a8d556e" | ||
| testing_pr: 2120 | ||
| testing_sha: d42a67ee37c90748d1fe99dcf62c5047bbaf8973 |