From 5fcde29dd8222c868a830f0f73759f969793b18b Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Fri, 10 Jan 2025 17:10:59 +0000 Subject: [PATCH] Sync from PR#2130 Create impersonation_benefits_enrollment.yml by @aidenmitchell https://github.com/sublime-security/sublime-rules/pull/2130 Source SHA df9c68a84d84ea051f05d489f42d3d3d7692eb25 Triggered by @aidenmitchell --- .../impersonation_benefits_enrollment.yml | 150 ++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100644 detection-rules/impersonation_benefits_enrollment.yml diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml new file mode 100644 index 00000000000..7a05fb8f383 --- /dev/null +++ b/detection-rules/impersonation_benefits_enrollment.yml @@ -0,0 +1,150 @@ +name: "Benefits Enrollment Impersonation" +description: "Detects messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication." +type: "rule" +severity: "high" +source: | + type.inbound + and sender.email.domain.domain not in $org_domains + and ( + length(body.current_thread.text) < 2500 or body.current_thread.text is null + ) + and ( + regex.icontains(subject.subject, + '(open|benefits?) enrol{1,2}ment', // catches both enrolment and enrollment + 'benefit(s)? (plan|choice|selection|deadline|period)', + 'hr benefits', + 'annual enrol{1,2}ment', + 'healthcare (choice|selection|opt.?in)', + '(fsa|hsa|401k) (enrol{1,2}ment|selection)', + 'dependent (coverage|verification)', + '(health|dental|vision|insurance|medical) enrol{1,2}ment' + ) + or regex.icontains(body.current_thread.text, + 'benefit(s)? (plan|choice|selection|deadline|period)', + 'hr benefits', + 'annual enrol{1,2}ment', + 'healthcare (choice|selection|opt.?in)', + '(fsa|hsa|401k) (enrol{1,2}ment|selection)', + 'dependent (coverage|verification)', + '(health|dental|vision|insurance|medical) enrol{1,2}ment', + '(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)', + 'coverage.{0,20}(expire|terminate)', + 'last (day|chance).{0,20}(enrol{1,2}|select)', + '(login|sign.?in).{0,20}(benefit portal|hr portal)', + '(verify|update|confirm).{0,20}(benefit.{0,20}selection)' + ) + or any(attachments, + regex.icontains(.file_name, + 'fileDoc-Review', + '(open|benefits?) enrol{1,2}ment', + 'annual enrol{1,2}ment', + '(fsa|hsa|401k) (enrol{1,2}ment|selection)', + '(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)', + ) + ) + ) + and 2 of ( + any(ml.nlu_classifier(body.current_thread.text).entities, + .name in ("urgency", "request") + ), + any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign"), + ( + (length(body.current_thread.text) < 250 and length(attachments) == 1) + or (body.current_thread.text is null and length(attachments) == 1) + ), + // lure in attachment + ( + any(attachments, + ( + .file_type in $file_types_images + or .file_type in ("pdf", "docx", "doc") + or .file_extension in $file_extensions_macros + ) + and any(filter(file.explode(.), .scan.ocr.raw is not null), + ( + any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name != "benign" + ) + or any(ml.nlu_classifier(.scan.ocr.raw).entities, + .name in ("urgency", "request") + ) + ) + ) + ) + ) + ) + // negate replies + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) + + // Negate common marketing mailers + and not regex.icontains(sender.display_name, + 'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations' + ) + and not ( + // Constant Contact + any(headers.hops, + strings.icontains(.authentication_results.spf_details.designator, + "constantcontact.com" + ) + ) + or any(headers.hops, + strings.icontains(.received_spf.designator, "constantcontact.com") + ) + or ( + ( + any(headers.hops, + .index == 0 + and any(.authentication_results.dkim_details, + .domain == "auth.ccsend.com" + ) + ) + ) + and headers.auth_summary.dmarc.pass + ) + or any(headers.references, strings.iends_with(., "ccsend.com")) + // Hubspot + or any(headers.hops, + strings.icontains(.authentication_results.spf_details.designator, + "hubspotemail.net" + ) + ) + ) + and sender.email.domain.root_domain not in~ ( + 'medicare.gov', + 'farmers.com', + 'uhc.com', + 'blueshieldca.com', + 'corestream.com' + ) + and ( + profile.by_sender().prevalence in ("new", "outlier") + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Impersonation: Employee" + - "Out of band pivot" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" +id: "5a6eb5a8-2d91-5ed8-a0d2-fb3cc2fef40b" +testing_pr: 2130 +testing_sha: df9c68a84d84ea051f05d489f42d3d3d7692eb25