-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update link_qr_code_suspicious_language_fts.yml by @morriscode #924 Source SHA 1af78f3 Triggered by @morriscode
- Loading branch information
Sublime Rule Testing Bot
committed
Nov 6, 2023
1 parent
07b9f30
commit 12dbb51
Showing
1 changed file
with
24 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| name: "Link: QR Code with suspicious language (first-time sender) " | ||
| description: | | ||
| This rule analyzes image attachments for QR Codes that contain URLs including the recipient's email address. It ensures that the URLs do not link to any organizational domains. | ||
| Additionally, it examines the email body using Natural Language Processing to detect credential phishing language.In cases of null bodies, | ||
| the rule is conditioned to check the image for any suspicious terms. | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: "type.inbound\n\n// check image attachments for QR code, will want to add message.screenshot functionality here when it's ready\n// and length(attachments) < 10\nand any(attachments,\n (.file_type in $file_types_images or .file_type == \"pdf\")\n and any(file.explode(.),\n .scan.qr.type == \"url\"\n\n // recipient email address is present in the URL, a common tactic used in credential phishing attacks and the url is not in $org_domains\n and any(recipients.to,\n strings.icontains(..scan.qr.data, .email.email) and .email.domain.valid\n )\n and .scan.qr.url.domain.root_domain not in $org_domains\n )\n)\n\n// NLU has identified cred_theft language with high confidence\nand (\n any(ml.nlu_classifier(body.current_thread.text).intents,\n .name == \"cred_theft\" and .confidence == \"high\"\n )\n or \n // the attachment contains suspicious strings\n (\n any(attachments,\n (.file_type in $file_types_images or .file_type == \"pdf\")\n and any(file.explode(.),\n any(.scan.strings.strings,\n regex.icontains(.,\n '(\\b2fa\\b|\\bQ.?R\\.?\\s?\\b|MFA|Muti[ -]?Factor Auth(entication)?)'\n )\n )\n )\n )\n )\n)\n\n// negate highly trusted sender domains unless they fail DMARC authentication\nand\n(\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and (\n any(distinct(headers.hops, .authentication_results.dmarc is not null),\n strings.ilike(.authentication_results.dmarc, \"*fail\")\n )\n )\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n" | ||
| attack_types: | ||
| - "Credential Phishing" | ||
| tactics_and_techniques: | ||
| - "Impersonation: Brand" | ||
| - "QR code" | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Content analysis" | ||
| - "Computer Vision" | ||
| - "Natural Language Understanding" | ||
| - "QR code analysis" | ||
| - "Sender analysis" | ||
| - "URL analysis" | ||
| id: "25a84d1c-9578-53e3-98a7-ca9b43abb28b" | ||
| testing_pr: 924 | ||
| testing_sha: 1af78f3da97994f513685c86c3414b18510e352a |