Skip to content

Commit

Permalink
Update credential_phishing_esign_document_notification.yml (#2082)
Browse files Browse the repository at this point in the history
  • Loading branch information
@zoomequipd
zoomequipd authored Nov 13, 2024
1 parent 7fe43d6 commit 8de7a93
Showing 1 changed file with 58 additions and 6 deletions.
64 changes: 58 additions & 6 deletions detection-rules/credential_phishing_esign_document_notification.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ source: |
"docufile",
"E­-­S­i­g­n­&Return",
"document.signature",
"Electronic.?Signature",
"Complete: ",
"Please Review"
)
)
and (
Expand All @@ -61,12 +64,15 @@ source: |
or regex.icontains(body.html.raw, '(<p[^>]*>&nbsp;</p>\s*){7,}')
or strings.count(body.html.raw, '&nbsp;‌&nbsp;‌&nbsp') > 50
or regex.count(body.html.raw,
'<span\s*class\s*=\s*"[^\"]+"\s*>\s*[a-z]\s*<\/span><span\s*class\s*=\s*"[^\"]+"\s*>\s*[a-z]+\s*<\/span>'
) > 50
'<span\s*class\s*=\s*"[^\"]+"\s*>\s*[a-z]\s*<\/span><span\s*class\s*=\s*"[^\"]+"\s*>\s*[a-z]+\s*<\/span>'
) > 50
// lookalike docusign
or regex.icontains(body.html.raw, '>Docus[1l]gn<')
or (regex.icontains(body.html.inner_text, 'Document') and length(body.html.inner_text) < 300)
// common greetings via email.local_part
or any(recipients.to, strings.icontains(body.current_thread.text, .email.local_part))
or any(recipients.to,
strings.icontains(body.current_thread.text, .email.local_part)
)
// HR impersonation
or strings.ilike(sender.display_name, "HR", "H?R", "*Human Resources*")
)
Expand All @@ -87,7 +93,9 @@ source: |
'(listen|play).{0,10}(vm|voice)',
'clarify.{0,20}(deposit|wallet|funds)',
'enter.{0,15}teams',
'Review and sign'
'Review and sign',
'REVIEW.*DOCUMENT'
)
)
or any(body.links,
Expand All @@ -108,6 +116,51 @@ source: |
and regex.match(.display_text, "^[^a-z]*[A-Z][^a-z]*$")
)
)
or (
length(attachments) > 0
and any(attachments,
(
regex.icontains(beta.ocr(.).text,
"activate",
"re-auth",
"verify",
"acknowledg",
"(keep|change).{0,20}(active|password|access)",
'((verify|view|click|download|goto|keep|Vιew|release).{0,15}(attachment|current|download|fax|file|document|message|same)s?)',
'use.same.pass',
'validate.{0,15}account',
'recover.{0,15}messages',
'(retry|update).{0,10}payment',
'check activity',
'(listen|play).{0,10}(vm|voice)',
'clarify.{0,20}(deposit|wallet|funds)',
'enter.{0,15}teams',
'Review and sign'
)
)
or (
any(file.explode(.),
regex.icontains(.scan.ocr.raw,
"activate",
"re-auth",
"verify",
"acknowledg",
"(keep|change).{0,20}(active|password|access)",
'((verify|view|click|download|goto|keep|Vιew|release).{0,15}(attachment|current|download|fax|file|document|message|same)s?)',
'use.same.pass',
'validate.{0,15}account',
'recover.{0,15}messages',
'(retry|update).{0,10}payment',
'check activity',
'(listen|play).{0,10}(vm|voice)',
'clarify.{0,20}(deposit|wallet|funds)',
'enter.{0,15}teams',
'Review and sign'
)
)
)
)
)
)
and (
not profile.by_sender().solicited
Expand All @@ -117,7 +170,7 @@ source: |
)
)
and not profile.by_sender().any_false_positives
// negate replies/fowards containing legitimate docs
and not (
length(headers.references) > 0
Expand All @@ -136,7 +189,6 @@ source: |
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down

0 comments on commit 8de7a93

Please sign in to comment.