-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New Rule: Callback Phishing Invoice from < 30d domains (#957)
Co-authored-by: ID Generator <[email protected]> Co-authored-by: Josh Kamdjou <[email protected]>
- Loading branch information
3 people
authored
Nov 20, 2023
1 parent
14c50d3
commit 993d2e1
Showing
1 changed file
with
80 additions
and
0 deletions.
There are no files selected for viewing
80 changes: 80 additions & 0 deletions
80
detection-rules/callback_phishing_invoice_fraud_30d_domains.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| name: "Callback Phishing: Branded invoice from sender/reply-to domain less than 30 days old" | ||
| description: "This rule checks for invoicing content from a sender, reply-to domain or return-path domain less than 30d old. It also checks the body or the OCR'd screenshot for key words commonly abused in fraudulent invoicing attacks. " | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: | | ||
| type.inbound | ||
| // reply to domain that's less than 30d old and doesn't match the sender | ||
| and ( | ||
| ( | ||
| length(headers.reply_to) > 0 | ||
| and all(headers.reply_to, | ||
| beta.whois(.email.domain).days_old <= 30 | ||
| and .email.email != sender.email.email | ||
| ) | ||
| ) | ||
| // or the return path or sender domain is less than 30d old | ||
| or beta.whois(headers.return_path.domain).days_old <= 30 | ||
| or beta.whois(sender.email.domain).days_old <= 30 | ||
| ) | ||
| // invoicing with high confidence | ||
| and any(ml.nlu_classifier(body.current_thread.text).tags, | ||
| .name == "invoice" and .confidence == "high" | ||
| ) | ||
| // commonly abused brands in body | ||
| and ( | ||
| strings.ilike(body.current_thread.text, | ||
| "*mcafee*", | ||
| "*norton*", | ||
| "*geek squad*", | ||
| "*paypal*", | ||
| "*ebay*", | ||
| "*symantec*", | ||
| "*best buy*", | ||
| "*lifelock*", | ||
| "*virus*" | ||
| ) | ||
| // commonly abused brand logo | ||
| or any(ml.logo_detect(beta.message_screenshot()).brands, | ||
| .name in ("PayPal", "Norton", "GeekSquad", "Ebay") | ||
| ) | ||
| // check message screenshot ocr for commonly abused brands | ||
| or any(file.explode(beta.message_screenshot()), | ||
| 1 of ( | ||
| strings.icontains(.scan.ocr.raw, "geek squad"), | ||
| strings.icontains(.scan.ocr.raw, "lifelock"), | ||
| strings.icontains(.scan.ocr.raw, "best buy"), | ||
| strings.icontains(.scan.ocr.raw, "mcafee"), | ||
| strings.icontains(.scan.ocr.raw, "norton"), | ||
| strings.icontains(.scan.ocr.raw, "ebay"), | ||
| strings.icontains(.scan.ocr.raw, "paypal"), | ||
| strings.icontains(.scan.ocr.raw, "virus"), | ||
| ) | ||
| ) | ||
| ) | ||
| // phone number regex | ||
| and regex.icontains(body.current_thread.text, | ||
| '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}' | ||
| ) | ||
| and not profile.by_sender().solicited | ||
| and not profile.by_sender().any_false_positives | ||
| attack_types: | ||
| - "Callback Phishing" | ||
| tactics_and_techniques: | ||
| - "Impersonation: Brand" | ||
| - "Out of band pivot" | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Header analysis" | ||
| - "Natural Language Understanding" | ||
| - "Optical Character Recognition" | ||
| - "Whois" | ||
| id: "e6f4af53-dbb6-5917-acee-bfd7d8042c03" |