Sync from PR#1940

Create link_zoho_forms_unsolicited.yml by @zoomequipd #1940 Source SHA a561ca9 Triggered by @zoomequipd
sublime-security · Oct 8, 2024 · 2d62ca4 · 2d62ca4
1 parent f286a0d
commit 2d62ca4
Showing 1 changed file with 3 additions and 25 deletions.
diff --git a/detection-rules/link_zoho_forms_unsolicited.yml b/detection-rules/link_zoho_forms_unsolicited.yml
@@ -1,30 +1,8 @@
 name: "Link: Zoho Form Link from Unsolicited Sender"
-description: "This detection rule matches on messaging containing at least one link to forms.zohopublic.com from an unsolicited sender.  Zoho provides a free plan enabling users to create custom websites and file hosting.  This services has been abused by threat actors to host landing pages via forms directing victims to a next stage of credential phishing."
+description: "This detection rule matches on messages containing at least one link to forms.zohopublic.com from an unsolicited sender. Zoho provides a free plan enabling users to create custom websites and file hosting. This service has been abused by threat actors to host landing pages via forms directing victims to a next stage of credential phishing."
 type: "rule"
 severity: "medium"
-source: |
-  type.inbound
-  and any(body.links,
-          // webflow link
-          .href_url.domain.domain == 'forms.zohopublic.com'
-  )
-  // not solicited or from malicious/spam user with no FPs
-  and (
-    not profile.by_sender().solicited
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
-  )
-
-  // not from high trust sender root domains
-  and (
-    (
-      sender.email.domain.root_domain in $high_trust_sender_root_domains
-      and not headers.auth_summary.dmarc.pass
-    )
-    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
-  )
+source: "type.inbound\nand any(body.links,\n        // zoho forms link\n        .href_url.domain.domain == 'forms.zohopublic.com'\n        // remove a common FP for linking directly \n        and not strings.istarts_with(.href_url.path, '/quickbooking/')\n)\n// dont match messages with lots of links or long bodies, often marketing messages\nand length(body.links) < 20\nand length(body.current_thread.text) < 900\n// not solicited or from malicious/spam user with no FPs\nand (\n  not profile.by_sender().solicited\n  or (\n    profile.by_sender().any_messages_malicious_or_spam\n    and not profile.by_sender().any_false_positives\n  )\n)\n\n// not from high trust sender root domains\nand (\n  (\n    sender.email.domain.root_domain in $high_trust_sender_root_domains\n    and not headers.auth_summary.dmarc.pass\n  )\n  or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n"
 attack_types:
   - "Callback Phishing"
 tactics_and_techniques:
@@ -35,4 +13,4 @@ detection_methods:
   - "Sender analysis"
 id: "eb04a9f2-c40b-5fcc-97de-bee7111bc3d8"
 testing_pr: 1940
-testing_sha: 9c0d84111d48ab5819a7936b6cee90216e2be193
+testing_sha: a561ca91dbb416b6612ba4d887ec0dff13637259