Sync from PR#1940

Create link_zoho_forms_unsolicited.yml by @zoomequipd #1940 Source SHA 23a2387 Triggered by @zoomequipd
sublime-security · Oct 24, 2024 · 786bd04 · 786bd04
1 parent 357dc8a
commit 786bd04
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/detection-rules/link_zoho_forms_unsolicited.yml b/detection-rules/link_zoho_forms_unsolicited.yml
@@ -2,7 +2,7 @@ name: "Link: Zoho Form Link from Unsolicited Sender"
 description: "This detection rule matches on messages containing at least one link to forms.zohopublic.com from an unsolicited sender. Zoho provides a free plan enabling users to create custom websites and file hosting. This service has been abused by threat actors to host landing pages via forms directing victims to a next stage of credential phishing."
 type: "rule"
 severity: "medium"
-source: "type.inbound\nand any(body.links,\n        // zoho forms link\n        .href_url.domain.domain == 'forms.zohopublic.com'\n        // remove a common FP for linking directly \n        and not strings.istarts_with(.href_url.path, '/quickbooking/')\n)\n// dont match messages with lots of links or long bodies, often marketing messages\nand length(body.links) < 20\nand length(body.current_thread.text) < 900\n// not solicited or from malicious/spam user with no FPs\nand (\n  not profile.by_sender().solicited\n  or (\n    profile.by_sender().any_messages_malicious_or_spam\n    and not profile.by_sender().any_false_positives\n  )\n)\n\n// not from high trust sender root domains\nand (\n  (\n    sender.email.domain.root_domain in $high_trust_sender_root_domains\n    and not headers.auth_summary.dmarc.pass\n  )\n  or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n"
+source: "type.inbound\nand any(body.links,\n        // zoho forms link\n        .href_url.domain.domain == 'forms.zohopublic.com'\n        // remove a common FP for linking directly \n        and not strings.istarts_with(.href_url.path, '/quickbooking/')\n        // ensure the link is within the current_thread\n        and (\n            strings.contains(body.current_thread.text, .display_text)\n            or \n            strings.contains(body.current_thread.text, .href_url.url)\n        )\n)\n// dont match messages with lots of links or long bodies, often marketing messages\nand length(body.links) < 20\nand length(body.current_thread.text) < 900\n// not solicited or from malicious/spam user with no FPs\nand (\n  not profile.by_sender().solicited\n  or (\n    profile.by_sender().any_messages_malicious_or_spam\n    and not profile.by_sender().any_false_positives\n  )\n)\n\n// not from high trust sender root domains\nand (\n  (\n    sender.email.domain.root_domain in $high_trust_sender_root_domains\n    and not headers.auth_summary.dmarc.pass\n  )\n  or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n"
 attack_types:
   - "Callback Phishing"
 tactics_and_techniques:
@@ -13,4 +13,4 @@ detection_methods:
   - "Sender analysis"
 id: "eb04a9f2-c40b-5fcc-97de-bee7111bc3d8"
 testing_pr: 1940
-testing_sha: a561ca91dbb416b6612ba4d887ec0dff13637259
+testing_sha: 23a2387a4231a63be4447596bad83fb556fcf58a