-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create abuse_dropbox_sus_names.yml by @zoomequipd #2077 Source SHA e5a9988 Triggered by @zoomequipd
- Loading branch information
Sublime Rule Testing Bot
committed
Nov 4, 2024
1 parent
555bb06
commit a033bb4
Showing
1 changed file
with
2 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,7 @@ name: "Service Abuse: DropBox Share with Suspicious Sender or Document Name" | |
| description: "The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name." | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: "type.inbound\n\n// Legitimate Dropbox sending infratructure\nand sender.email.email == \"[email protected]\"\nand headers.auth_summary.spf.pass\nand headers.auth_summary.dmarc.pass\nand strings.ends_with(headers.auth_summary.spf.details.designator,\n '.dropbox.com'\n)\nand strings.icontains(subject.subject, 'shared')\nand strings.icontains(subject.subject, 'with you')\nand not (\n // contains the word dropbox\n // everything not \"shared\" and \"with you\" is actor controlled\n strings.icontains(subject.subject, 'dropbox')\n or strings.icontains(subject.subject, 'sharefile')\n\n // sender names part of the subject\n or (\n // Billing Accounting\n regex.icontains(subject.subject,\n 'Accounts? (?:Payable|Receivable).*shared',\n 'Billing Support.*shared'\n )\n\n // HR/Payroll/Legal/etc\n or regex.icontains(subject.subject, 'Compliance HR.*shared')\n or regex.icontains(subject.subject,\n '(?:Compliance|Executive|Finance|\\bHR\\b|\\bIT\\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*shared'\n )\n or regex.icontains(subject.subject, '(?:Department|Team).*shared')\n or regex.icontains(subject.subject, 'Corporate Communications.*shared')\n or regex.icontains(subject.subject, 'Employee Relations.*shared')\n or regex.icontains(subject.subject, 'Office Manager.*shared')\n or regex.icontains(subject.subject, 'Risk Management.*shared')\n or regex.icontains(subject.subject, 'Payroll Admin(?:istrator).*shared')\n or regex.icontains(subject.subject, 'Human Resources.*shared')\n or regex.icontains(subject.subject, 'HR.*shared')\n\n // IT related\n or regex.icontains(subject.subject,\n 'IT Support.*shared',\n 'Information Technology.*shared',\n '(?:Network|System)? Admin(?:istrator).*shared',\n 'Help Desk.*shared',\n 'Tech(?:nical) Support.*shared'\n )\n\n // an email address in the subject is also interesting\n or regex.icontains(subject.subject, '\\w+@\\w+\\.\\w+.*shared')\n )\n // filename analysis\n // the filename is also contianed in the subject line\n or\n (\n // scanner themed\n regex.icontains(subject.subject, 'shared.*\\\".*scanne[rd]')\n // image theme\n or regex.icontains(subject.subject, 'shared.*\\\".*_IMG_')\n or regex.icontains(subject.subject, 'shared.*\\\".*IMG[_-](?:\\d|\\W)+\\\"')\n // ondrive theme\n or regex.icontains(subject.subject, 'shared.*\\\".*one_docx')\n or regex.icontains(subject.subject, 'shared.*\\\".*One.?Drive')\n or regex.icontains(subject.subject, 'shared.*\\\".*click here')\n or regex.icontains(subject.subject, 'shared.*\\\".*Download PDF')\n or regex.icontains(subject.subject, 'shared.*\\\".*Validate')\n\n // Invoice Themes\n or regex.icontains(subject.subject, 'shared.*\\\".*Invoice')\n or regex.icontains(subject.subject, 'shared.*\\\".*INV\\b')\n or regex.icontains(subject.subject, 'shared.*\\\".*Payment')\n or regex.icontains(subject.subject, 'shared.*\\\".*ACH')\n or regex.icontains(subject.subject, 'shared.*\\\".*Wire Confirmation')\n or regex.icontains(subject.subject, 'shared.*\\\".*P[O0]\\W+?\\d+\\\"')\n or regex.icontains(subject.subject, 'shared.*\\\"P[O0](?:\\W+?|\\d+)')\n or regex.icontains(subject.subject, 'shared.*\\\".*receipt')\n or regex.icontains(subject.subject, 'shared.*\\\".*Billing')\n or regex.icontains(subject.subject, 'shared.*\\\".*statement')\n or regex.icontains(subject.subject, 'shared.*\\\".*Past Due')\n or regex.icontains(subject.subject, 'shared.*\\\".*Remit(?:tance)?')\n or regex.icontains(subject.subject, 'shared.*\\\".*Purchase Order')\n or regex.icontains(subject.subject, 'shared.*\\\".*Settlement')\n \n // contract language\n or regex.icontains(subject.subject, 'shared.*\\\".*Contract Agreement')\n or regex.icontains(subject.subject, 'shared.*\\\".*Pr[0o]p[0o]sal')\n or regex.icontains(subject.subject, 'shared.*\\\".*Contract Doc')\n\n or regex.icontains(subject.subject, 'shared.*\\\".*Claim Doc')\n\n // Payroll/HR\n or regex.icontains(subject.subject, 'shared.*\\\".*Payroll')\n or regex.icontains(subject.subject, 'shared.*\\\".*Employee Pay\\b')\n or regex.icontains(subject.subject, 'shared.*\\\".*Salary')\n or regex.icontains(subject.subject, 'shared.*\\\".*Benefit Enrollment')\n or regex.icontains(subject.subject, 'shared.*\\\".*Employee Handbook')\n or regex.icontains(subject.subject, 'shared.*\\\".*Reimbursement Approved')\n\n\n // shared files/extenstion\n or regex.icontains(subject.subject, 'shared.*\\\".*Shared.?File')\n or regex.icontains(subject.subject, 'shared.*\\\".*Urgent')\n or regex.icontains(subject.subject, 'shared.*\\\".*Important')\n or regex.icontains(subject.subject, 'shared.*\\\".*Secure')\n or regex.icontains(subject.subject, 'shared.*\\\".*Encrypt')\n or regex.icontains(subject.subject, 'shared.*\\\".*shared')\n or regex.icontains(subject.subject, 'shared.*\\\".*protected')\n or regex.icontains(subject.subject, 'shared.*\\\".*\\.docx?\\.pdf')\n or regex.icontains(subject.subject, 'shared.*\\\".*\\.docx?\\.paper')\n // all caps filename allowing for numbers, punct and spaces, and an optional file extenstion\n or regex.contains(subject.subject,\n 'shared \\\"[A-Z0-9[:punct:]\\s]+(?:\\.[a-zA-Z]{3,5})\\\"'\n )\n or regex.icontains(subject.subject,\n 'shared \\\".*(?:shared|sent).*\\\" with you'\n )\n\n // MFA theme\n or regex.icontains(subject.subject, 'shared.*\\\".*Verification Code')\n or regex.icontains(subject.subject, 'shared.*\\\".*\\bMFA\\b')\n\n\n\n // or regex.icontains(subject.subject, 'shared.*\\\".*Project Proposal')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Project Agreement')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Price List')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Follow Up')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Approved Proposal')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Pay App')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Funding Proposal')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Investment Bid')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Signed Agreement')\n\n\n // the reply-to address is within the subject\n or any(headers.reply_to,\n strings.icontains(subject.subject, .email.domain.domain)\n )\n )\n)\n" | ||
| source: "type.inbound\n\n// Legitimate Dropbox sending infratructure\nand sender.email.email == \"[email protected]\"\nand headers.auth_summary.spf.pass\nand headers.auth_summary.dmarc.pass\nand strings.ends_with(headers.auth_summary.spf.details.designator,\n '.dropbox.com'\n)\nand strings.icontains(subject.subject, 'shared')\nand strings.icontains(subject.subject, 'with you')\nand (\n // contains the word dropbox\n // everything not \"shared\" and \"with you\" is actor controlled\n strings.icontains(subject.subject, 'dropbox')\n or strings.icontains(subject.subject, 'sharefile')\n\n // sender names part of the subject\n or (\n // Billing Accounting\n regex.icontains(subject.subject,\n 'Accounts? (?:Payable|Receivable).*shared',\n 'Billing Support.*shared'\n )\n\n // HR/Payroll/Legal/etc\n or regex.icontains(subject.subject, 'Compliance HR.*shared')\n or regex.icontains(subject.subject,\n '(?:Compliance|Executive|Finance|\\bHR\\b|\\bIT\\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*shared'\n )\n or regex.icontains(subject.subject, '(?:Department|Team).*shared')\n or regex.icontains(subject.subject, 'Corporate Communications.*shared')\n or regex.icontains(subject.subject, 'Employee Relations.*shared')\n or regex.icontains(subject.subject, 'Office Manager.*shared')\n or regex.icontains(subject.subject, 'Risk Management.*shared')\n or regex.icontains(subject.subject, 'Payroll Admin(?:istrator).*shared')\n or regex.icontains(subject.subject, 'Human Resources.*shared')\n or regex.icontains(subject.subject, 'HR.*shared')\n\n // IT related\n or regex.icontains(subject.subject,\n 'IT Support.*shared',\n 'Information Technology.*shared',\n '(?:Network|System)? Admin(?:istrator).*shared',\n 'Help Desk.*shared',\n 'Tech(?:nical) Support.*shared'\n )\n\n // an email address in the subject is also interesting\n or regex.icontains(subject.subject, '\\w+@\\w+\\.\\w+.*shared')\n )\n // filename analysis\n // the filename is also contianed in the subject line\n or\n (\n // scanner themed\n regex.icontains(subject.subject, 'shared.*\\\".*scanne[rd]')\n // image theme\n or regex.icontains(subject.subject, 'shared.*\\\".*_IMG_')\n or regex.icontains(subject.subject, 'shared.*\\\".*IMG[_-](?:\\d|\\W)+\\\"')\n // ondrive theme\n or regex.icontains(subject.subject, 'shared.*\\\".*one_docx')\n or regex.icontains(subject.subject, 'shared.*\\\".*One.?Drive')\n or regex.icontains(subject.subject, 'shared.*\\\".*click here')\n or regex.icontains(subject.subject, 'shared.*\\\".*Download PDF')\n or regex.icontains(subject.subject, 'shared.*\\\".*Validate')\n\n // Invoice Themes\n or regex.icontains(subject.subject, 'shared.*\\\".*Invoice')\n or regex.icontains(subject.subject, 'shared.*\\\".*INV\\b')\n or regex.icontains(subject.subject, 'shared.*\\\".*Payment')\n or regex.icontains(subject.subject, 'shared.*\\\".*ACH')\n or regex.icontains(subject.subject, 'shared.*\\\".*Wire Confirmation')\n or regex.icontains(subject.subject, 'shared.*\\\".*P[O0]\\W+?\\d+\\\"')\n or regex.icontains(subject.subject, 'shared.*\\\"P[O0](?:\\W+?|\\d+)')\n or regex.icontains(subject.subject, 'shared.*\\\".*receipt')\n or regex.icontains(subject.subject, 'shared.*\\\".*Billing')\n or regex.icontains(subject.subject, 'shared.*\\\".*statement')\n or regex.icontains(subject.subject, 'shared.*\\\".*Past Due')\n or regex.icontains(subject.subject, 'shared.*\\\".*Remit(?:tance)?')\n or regex.icontains(subject.subject, 'shared.*\\\".*Purchase Order')\n or regex.icontains(subject.subject, 'shared.*\\\".*Settlement')\n \n // contract language\n or regex.icontains(subject.subject, 'shared.*\\\".*Contract Agreement')\n or regex.icontains(subject.subject, 'shared.*\\\".*Pr[0o]p[0o]sal')\n or regex.icontains(subject.subject, 'shared.*\\\".*Contract Doc')\n\n or regex.icontains(subject.subject, 'shared.*\\\".*Claim Doc')\n\n // Payroll/HR\n or regex.icontains(subject.subject, 'shared.*\\\".*Payroll')\n or regex.icontains(subject.subject, 'shared.*\\\".*Employee Pay\\b')\n or regex.icontains(subject.subject, 'shared.*\\\".*Salary')\n or regex.icontains(subject.subject, 'shared.*\\\".*Benefit Enrollment')\n or regex.icontains(subject.subject, 'shared.*\\\".*Employee Handbook')\n or regex.icontains(subject.subject, 'shared.*\\\".*Reimbursement Approved')\n\n\n // shared files/extenstion\n or regex.icontains(subject.subject, 'shared.*\\\".*Shared.?File')\n or regex.icontains(subject.subject, 'shared.*\\\".*Urgent')\n or regex.icontains(subject.subject, 'shared.*\\\".*Important')\n or regex.icontains(subject.subject, 'shared.*\\\".*Secure')\n or regex.icontains(subject.subject, 'shared.*\\\".*Encrypt')\n or regex.icontains(subject.subject, 'shared.*\\\".*shared')\n or regex.icontains(subject.subject, 'shared.*\\\".*protected')\n or regex.icontains(subject.subject, 'shared.*\\\".*\\.docx?\\.pdf')\n or regex.icontains(subject.subject, 'shared.*\\\".*\\.docx?\\.paper')\n // all caps filename allowing for numbers, punct and spaces, and an optional file extenstion\n or regex.contains(subject.subject,\n 'shared \\\"[A-Z0-9[:punct:]\\s]+(?:\\.[a-zA-Z]{3,5})\\\"'\n )\n or regex.icontains(subject.subject,\n 'shared \\\".*(?:shared|sent).*\\\" with you'\n )\n\n // MFA theme\n or regex.icontains(subject.subject, 'shared.*\\\".*Verification Code')\n or regex.icontains(subject.subject, 'shared.*\\\".*\\bMFA\\b')\n\n\n\n // or regex.icontains(subject.subject, 'shared.*\\\".*Project Proposal')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Project Agreement')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Price List')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Follow Up')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Approved Proposal')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Pay App')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Funding Proposal')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Investment Bid')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Signed Agreement')\n\n\n // the reply-to address is within the subject\n or any(headers.reply_to,\n strings.icontains(subject.subject, .email.domain.domain)\n )\n )\n)\n" | ||
| attack_types: | ||
| - "Callback Phishing" | ||
| - "BEC/Fraud" | ||
|
|
@@ -15,4 +15,4 @@ detection_methods: | |
| - "Content analysis" | ||
| id: "27007c9f-e738-584f-8b49-74710f9ef9a6" | ||
| testing_pr: 2077 | ||
| testing_sha: f7e14d14d7c62a1e61850bf70d3c325a191c6f90 | ||
| testing_sha: e5a99885d27fffdd6182f61dd8469f8f3f4634e7 | ||