From 5eef9009068ce7b81ae014330e0795054c5f5d8b Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 14 Nov 2024 13:22:56 -0800 Subject: [PATCH] Create suspicious_request_financial.yml (#2021) Co-authored-by: ID Generator --- .../suspicious_request_financial.yml | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 detection-rules/suspicious_request_financial.yml diff --git a/detection-rules/suspicious_request_financial.yml b/detection-rules/suspicious_request_financial.yml new file mode 100644 index 00000000000..11d423b95f2 --- /dev/null +++ b/detection-rules/suspicious_request_financial.yml @@ -0,0 +1,53 @@ +name: "Suspicious Request for Financial Information" +description: "Email is from a suspicious sender and contains a request for financial information, such as AR reports." +type: "rule" +severity: "high" +source: | + type.inbound + // no attachments + and length(attachments) == 0 + // direct to recipient + and length(recipients.to) == 1 + // suspicious sender + and ( + ( + length(headers.reply_to) > 0 + and all(headers.reply_to, + .email.domain.root_domain != sender.email.domain.root_domain + and .email.domain.root_domain not in $org_domains + ) + ) + or sender.email.domain.root_domain in $free_email_providers + or profile.by_sender().days_known < 3 + ) + // specific financial language + and ( + regex.icontains(subject.subject, + '\b(Aged|Age?ing) (Payables|Receivables|Report)' + ) + or regex.icontains(body.current_thread.text, + '\b(Aged|Age?ing) (Payables|Receivables|Report)', + "updated (AR|accounts? (Payables|Receivables))" + ) + ) + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + and not profile.by_sender().any_false_positives + +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Free email provider" + - "Impersonation: Employee" + - "Impersonation: VIP" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" +id: "4ebdaa4d-4db2-56c6-9a6c-220ad49b7681"