From 47971f023a15cb2e1e86d88dc251c7c1f19d40d8 Mon Sep 17 00:00:00 2001
From: Cameron Dunn <cameron@sublimesecurity.com>
Date: Thu, 28 Sep 2023 15:35:22 -0700
Subject: [PATCH] add, modify, delete

---
 .../attachment_adobe_image_lure_fts_new.yml   | 42 +++++++++++++++++++
 .../attachment_any_html_unsolicited.yml       |  1 +
 .../attachment_archive_with_chm.yml           | 25 -----------
 3 files changed, 43 insertions(+), 25 deletions(-)
 create mode 100644 detection-rules/attachment_adobe_image_lure_fts_new.yml
 delete mode 100644 detection-rules/attachment_archive_with_chm.yml

diff --git a/detection-rules/attachment_adobe_image_lure_fts_new.yml b/detection-rules/attachment_adobe_image_lure_fts_new.yml
new file mode 100644
index 00000000000..1894bb28358
--- /dev/null
+++ b/detection-rules/attachment_adobe_image_lure_fts_new.yml
@@ -0,0 +1,42 @@
+name: "Attachment: Adobe image lure with suspicious link from first time sender"
+description: "Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language from a first-time sender."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(filter(attachments, .file_type not in $file_types_images)) == 0
+  and length(body.links) > 0
+  and all(body.links, .display_text is null)
+  and any(attachments,
+          any(ml.logo_detect(.).brands, .name == "Adobe" and .confidence in ("high"))
+          and any(file.explode(.),
+                  strings.ilike(.scan.ocr.raw,
+                                "*review*",
+                                "*sign*",
+                                "*view*",
+                                "*completed document*",
+                                "*open agreement*"
+                  )
+          )
+  )
+  and (
+    (
+      sender.email.domain.root_domain in $free_email_providers
+      and sender.email.email not in $sender_emails
+    )
+    or (
+      sender.email.domain.root_domain not in $free_email_providers
+      and sender.email.domain.domain not in $sender_domains
+    )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Image as content"
+  - "Impersonation: Brand"
+detection_methods:
+  - "Content analysis"
+  - "Computer Vision"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+  - "URL analysis"
diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml
index 075feda5569..f072b489130 100644
--- a/detection-rules/attachment_any_html_unsolicited.yml
+++ b/detection-rules/attachment_any_html_unsolicited.yml
@@ -31,4 +31,5 @@ detection_methods:
   - "File analysis"
   - "HTML analysis"
   - "Sender analysis"
+  - "Temp"
 id: "ef36763f-917d-5338-b1ac-84047334dce8"
diff --git a/detection-rules/attachment_archive_with_chm.yml b/detection-rules/attachment_archive_with_chm.yml
deleted file mode 100644
index 56da4665e7a..00000000000
--- a/detection-rules/attachment_archive_with_chm.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-name: "Attachment: Archive with embedded CHM file"
-description: |
-  Recursively scans files and archives to detect embedded CHM (Microsoft Compiled HTML Help) files.
-
-  According to CERT-UA, on March 7, 2022, phishing attacks targeted state organizations of Ukraine
-  using Zip files with embedded CHM documents, which themselves contained malicious VBScript inside a .htm file.
-  The activity is associated with UNC1151, according to CERT-UA.
-references:
-  - "https://cert.gov.ua/article/37626"
-type: "rule"
-severity: "medium"
-source: |
-  type.inbound
-  and any(attachments,
-          .file_extension in~ $file_extensions_common_archives
-          and any(file.explode(.), .file_extension =~ "chm")
-  )
-attack_types:
-  - "Malware/Ransomware"
-tactics_and_techniques:
-  - "Evasion"
-detection_methods:
-  - "Archive analysis"
-  - "File analysis"
-id: "5280e94d-592b-5d80-b548-b0e2ad4c9eae"