add, modify, delete

detection-rules/attachment_adobe_image_lure_fts_new.yml

@@ -0,0 +1,42 @@
+name: "Attachment: Adobe image lure with suspicious link from first time sender"
+description: "Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language from a first-time sender."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(filter(attachments, .file_type not in $file_types_images)) == 0
+  and length(body.links) > 0
+  and all(body.links, .display_text is null)
+  and any(attachments,
+          any(ml.logo_detect(.).brands, .name == "Adobe" and .confidence in ("high"))
+          and any(file.explode(.),
+                  strings.ilike(.scan.ocr.raw,
+                                "*review*",
+                                "*sign*",
+                                "*view*",
+                                "*completed document*",
+                                "*open agreement*"
+                  )
+          )
+  )
+  and (
+    (
+      sender.email.domain.root_domain in $free_email_providers
+      and sender.email.email not in $sender_emails
+    )
+    or (
+      sender.email.domain.root_domain not in $free_email_providers
+      and sender.email.domain.domain not in $sender_domains
+    )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Image as content"
+  - "Impersonation: Brand"
+detection_methods:
+  - "Content analysis"
+  - "Computer Vision"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+  - "URL analysis"

detection-rules/attachment_any_html_unsolicited.yml

@@ -31,4 +31,5 @@ detection_methods:
   - "File analysis"
   - "HTML analysis"
   - "Sender analysis"
+  - "Temp"
 id: "ef36763f-917d-5338-b1ac-84047334dce8"