-
Notifications
You must be signed in to change notification settings - Fork 53
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update body_extortion.yml by @zoomequipd #2438 Source SHA 234b508 Triggered by @zoomequipd
- Loading branch information
Sublime Rule Testing Bot
committed
Feb 26, 2025
1 parent
5975aa0
commit 46c25db
Showing
1 changed file
with
132 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,132 @@ | ||
| name: "Extortion / sextortion (untrusted sender)" | ||
| description: | | ||
| Detects extortion and sextortion attempts by analyzing the email body text from an untrusted sender. | ||
| references: | ||
| - "https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/" | ||
| type: "rule" | ||
| severity: "low" | ||
| source: | | ||
| type.inbound | ||
| and length(filter(body.links, .display_text is not null)) < 10 | ||
| and not ( | ||
| ml.nlu_classifier(body.current_thread.text).language == "english" | ||
| and any(beta.ml_topic(body.html.display_text).topics, | ||
| .name in ( | ||
| "News and Current Events", | ||
| "Newsletters and Digests", | ||
| "Advertising and Promotions" | ||
| ) | ||
| and .confidence == "high" | ||
| ) | ||
| ) | ||
| and ( | ||
| ( | ||
| any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text)).intents, | ||
| .name == "extortion" and .confidence == "high" | ||
| ) | ||
| and any(ml.nlu_classifier(strings.replace_confusables(body.current_thread.text | ||
| ) | ||
| ).entities, | ||
| .name == "financial" | ||
| ) | ||
| ) | ||
| // manual indicators failsafe | ||
| or 3 of ( | ||
| // malware terms | ||
| regex.icontains(strings.replace_confusables(body.current_thread.text), | ||
| "((spy|mal)ware|t[rŗ]ojan|remote control)" | ||
| ), | ||
| // actions recorded | ||
| regex.icontains(strings.replace_confusables(body.current_thread.text), | ||
| "po[rŗ]n|adult (web)?site|webcam|mastu[rŗ]bating|je[rŗ]king off|pleasu[rŗ]ing you[rŗ]self|getting off" | ||
| ), | ||
| regex.icontains(strings.replace_confusables(body.current_thread.text), | ||
| "perver[rŗ]|perve[rŗ]sion|mastu[rŗ]bat" | ||
| ), | ||
| // a timeframe to pay | ||
| regex.icontains(strings.replace_confusables(body.current_thread.text), | ||
| '[ilo0-9]{2} (?:hou[rŗ]s|uu[rŗ])', | ||
| '(?:one|two|th[rŗ]ee|\d) days?' | ||
| ), | ||
| // a promise from the actor | ||
| regex.icontains(strings.replace_confusables(body.current_thread.text), | ||
| '(?:pe[rŗ]manently|will) delete|([rŗ]emove|destroy) (?:\w+\s*){0,4} (?:data|evidence|videos?)' | ||
| ), | ||
| // a threat from the actor | ||
| regex.icontains(strings.replace_confusables(body.current_thread.text), | ||
| 'sen[dt]\s*(?:\w+\s*){0,2}\s*to\s*(?:\w+\s*){0,3}\s*you[rŗ] contacts' | ||
| ), | ||
| // bitcoin language (excluding newsletters) | ||
| ( | ||
| regex.icontains(strings.replace_confusables(body.current_thread.text), | ||
| 'bitc[oöة]+in|\bbtc\b|blockchain' | ||
| ) | ||
| // negate cryptocurrency newsletters | ||
| and not ( | ||
| any(body.links, | ||
| strings.icontains(.display_text, "unsubscribe") | ||
| and ( | ||
| strings.icontains(.href_url.path, "unsubscribe") | ||
| // handle mimecast URL rewrites | ||
| or ( | ||
| .href_url.domain.root_domain == 'mimecastprotect.com' | ||
| and strings.icontains(.href_url.query_params, | ||
| sender.email.domain.root_domain | ||
| ) | ||
| ) | ||
| ) | ||
| ) | ||
| ) | ||
| ), | ||
| ( | ||
| regex.icontains(strings.replace_confusables(body.current_thread.text), | ||
| '(?:contact the police|(?:bitcoin|\bbtc\b).{0,20}wallet)' | ||
| ) | ||
| and regex.icontains(strings.replace_confusables(body.current_thread.text), | ||
| '(\b[13][a-km-zA-HJ-NP-Z0-9]{24,34}\b)|\bX[1-9A-HJ-NP-Za-km-z]{33}\b|\b(0x[a-fA-F0-9]{40})\b|\b[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}\b|\b[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}\b' | ||
| ) | ||
| ), | ||
| regex.icontains(strings.replace_confusables(body.current_thread.text), | ||
| 'bc1q.{0,50}\b' | ||
| ) | ||
| ) | ||
| ) | ||
| and ( | ||
| not profile.by_sender().solicited | ||
| or ( | ||
| profile.by_sender().any_messages_malicious_or_spam | ||
| and not profile.by_sender().any_false_positives | ||
| ) | ||
| or any(headers.hops, any(.fields, .name == "X-Google-Group-Id")) | ||
| // many extortion emails spoof sender domains and fail sender authentication | ||
| or ( | ||
| not headers.auth_summary.dmarc.pass | ||
| or headers.auth_summary.dmarc.pass is null | ||
| or not headers.auth_summary.spf.pass | ||
| ) | ||
| ) | ||
| // negate benign newsletters that mention cyber extortion | ||
| and not ( | ||
| any(body.links, | ||
| strings.icontains(.display_text, "unsubscribe") | ||
| and strings.icontains(.href_url.path, "unsubscribe") | ||
| // newsletters are typically longer than the average extortion script | ||
| and length(body.current_thread.text) > 2000 | ||
| ) | ||
| ) | ||
| and length(body.current_thread.text) < 6000 | ||
| attack_types: | ||
| - "Extortion" | ||
| tactics_and_techniques: | ||
| - "Social engineering" | ||
| - "Spoofing" | ||
| detection_methods: | ||
| - "Content analysis" | ||
| - "Header analysis" | ||
| - "Natural Language Understanding" | ||
| - "Sender analysis" | ||
| id: "265913eb-2ccd-5f77-9a09-f6d8539fd2f6" | ||
| testing_pr: 2438 | ||
| testing_sha: 234b508f9f6dc63dff153e5a2c84a80cefc9a902 |