-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create abuse_dropbox_unsolicited_reply-to.yml by @zoomequipd #2078 Source SHA 4aa3bf9 Triggered by @zoomequipd
- Loading branch information
Sublime Rule Testing Bot
committed
Dec 10, 2024
1 parent
06e7aa0
commit 53156b3
Showing
1 changed file
with
61 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| name: "Service Abuse: DropBox Share From an Unsolicited Reply-To Address" | ||
| description: "This rule detects DropBox shares notifications which contain a reply-to address or domain that has not been previously observed sending messages to or receveing messages from the recipient organization." | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: | | ||
| type.inbound | ||
| // Legitimate Dropbox sending infratructure | ||
| and sender.email.email == "[email protected]" | ||
| and headers.auth_summary.spf.pass | ||
| and headers.auth_summary.dmarc.pass | ||
| and strings.ends_with(headers.auth_summary.spf.details.designator, | ||
| '.dropbox.com' | ||
| ) | ||
| and strings.icontains(subject.subject, 'shared') | ||
| and strings.icontains(subject.subject, 'with you') | ||
| and length(headers.reply_to) > 0 | ||
| // reply-to email address has never been sent an email by the org | ||
| and not ( | ||
| any(headers.reply_to, .email.email in $recipient_emails) | ||
| // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains | ||
| or any(filter(headers.reply_to, | ||
| // filter the list to only emails that are not in free_email_providers | ||
| ( | ||
| .email.domain.domain not in $free_email_providers | ||
| or .email.domain.root_domain not in $free_email_providers | ||
| ) | ||
| ), | ||
| .email.domain.domain in $recipient_domains | ||
| ) | ||
| ) | ||
| // reply-to address has never sent an email to the org | ||
| and not ( | ||
| any(headers.reply_to, .email.email in $sender_emails) | ||
| // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains | ||
| or any(filter(headers.reply_to, | ||
| // filter the list to only emails that are not in free_email_providers | ||
| ( | ||
| .email.domain.domain not in $free_email_providers | ||
| or .email.domain.domain not in $free_email_providers | ||
| ) | ||
| ), | ||
| .email.domain.domain in $sender_domains | ||
| ) | ||
| ) | ||
| tags: | ||
| - "Attack surface reduction" | ||
| attack_types: | ||
| - "Callback Phishing" | ||
| - "BEC/Fraud" | ||
| tactics_and_techniques: | ||
| - "Evasion" | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Sender analysis" | ||
| - "Header analysis" | ||
| - "Content analysis" | ||
| id: "50a1499f-bb59-5ee0-b4f4-e3cc84a5c41e" | ||
| testing_pr: 2078 | ||
| testing_sha: 4aa3bf9457aafc69079840df938c76ecdef28f5a |