diff --git a/detection-rules/abuse_dropbox_sus_names.yml b/detection-rules/abuse_dropbox_sus_names.yml index ac0fca6bce8..26333ad5f96 100644 --- a/detection-rules/abuse_dropbox_sus_names.yml +++ b/detection-rules/abuse_dropbox_sus_names.yml @@ -2,7 +2,7 @@ name: "Service Abuse: DropBox Share with Suspicious Sender or Document Name" description: "The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name." type: "rule" severity: "medium" -source: "type.inbound\n\n// Legitimate Dropbox sending infratructure\nand sender.email.email == \"no-reply@dropbox.com\"\nand headers.auth_summary.spf.pass\nand headers.auth_summary.dmarc.pass\nand strings.ends_with(headers.auth_summary.spf.details.designator,\n '.dropbox.com'\n)\nand strings.icontains(subject.subject, 'shared')\nand strings.icontains(subject.subject, 'with you')\nand not (\n // contains the word dropbox\n // everything not \"shared\" and \"with you\" is actor controlled\n strings.icontains(subject.subject, 'dropbox')\n or strings.icontains(subject.subject, 'sharefile')\n\n // sender names part of the subject\n or (\n // Billing Accounting\n regex.icontains(subject.subject,\n 'Accounts? (?:Payable|Receivable).*shared',\n 'Billing Support.*shared'\n )\n\n // HR/Payroll/Legal/etc\n or regex.icontains(subject.subject, 'Compliance HR.*shared')\n or regex.icontains(subject.subject,\n '(?:Compliance|Executive|Finance|\\bHR\\b|\\bIT\\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*shared'\n )\n or regex.icontains(subject.subject, '(?:Department|Team).*shared')\n or regex.icontains(subject.subject, 'Corporate Communications.*shared')\n or regex.icontains(subject.subject, 'Employee Relations.*shared')\n or regex.icontains(subject.subject, 'Office Manager.*shared')\n or regex.icontains(subject.subject, 'Risk Management.*shared')\n or regex.icontains(subject.subject, 'Payroll Admin(?:istrator).*shared')\n or regex.icontains(subject.subject, 'Human Resources.*shared')\n or regex.icontains(subject.subject, 'HR.*shared')\n\n // IT related\n or regex.icontains(subject.subject,\n 'IT Support.*shared',\n 'Information Technology.*shared',\n '(?:Network|System)? Admin(?:istrator).*shared',\n 'Help Desk.*shared',\n 'Tech(?:nical) Support.*shared'\n )\n\n // an email address in the subject is also interesting\n or regex.icontains(subject.subject, '\\w+@\\w+\\.\\w+.*shared')\n )\n // filename analysis\n // the filename is also contianed in the subject line\n or\n (\n // scanner themed\n regex.icontains(subject.subject, 'shared.*\\\".*scanne[rd]')\n // image theme\n or regex.icontains(subject.subject, 'shared.*\\\".*_IMG_')\n or regex.icontains(subject.subject, 'shared.*\\\".*IMG[_-](?:\\d|\\W)+\\\"')\n // ondrive theme\n or regex.icontains(subject.subject, 'shared.*\\\".*one_docx')\n or regex.icontains(subject.subject, 'shared.*\\\".*One.?Drive')\n or regex.icontains(subject.subject, 'shared.*\\\".*click here')\n or regex.icontains(subject.subject, 'shared.*\\\".*Download PDF')\n or regex.icontains(subject.subject, 'shared.*\\\".*Validate')\n\n // Invoice Themes\n or regex.icontains(subject.subject, 'shared.*\\\".*Invoice')\n or regex.icontains(subject.subject, 'shared.*\\\".*INV\\b')\n or regex.icontains(subject.subject, 'shared.*\\\".*Payment')\n or regex.icontains(subject.subject, 'shared.*\\\".*ACH')\n or regex.icontains(subject.subject, 'shared.*\\\".*Wire Confirmation')\n or regex.icontains(subject.subject, 'shared.*\\\".*P[O0]\\W+?\\d+\\\"')\n or regex.icontains(subject.subject, 'shared.*\\\"P[O0](?:\\W+?|\\d+)')\n or regex.icontains(subject.subject, 'shared.*\\\".*receipt')\n or regex.icontains(subject.subject, 'shared.*\\\".*Billing')\n or regex.icontains(subject.subject, 'shared.*\\\".*statement')\n or regex.icontains(subject.subject, 'shared.*\\\".*Past Due')\n or regex.icontains(subject.subject, 'shared.*\\\".*Remit(?:tance)?')\n or regex.icontains(subject.subject, 'shared.*\\\".*Purchase Order')\n or regex.icontains(subject.subject, 'shared.*\\\".*Settlement')\n \n // contract language\n or regex.icontains(subject.subject, 'shared.*\\\".*Contract Agreement')\n or regex.icontains(subject.subject, 'shared.*\\\".*Pr[0o]p[0o]sal')\n or regex.icontains(subject.subject, 'shared.*\\\".*Contract Doc')\n\n or regex.icontains(subject.subject, 'shared.*\\\".*Claim Doc')\n\n // Payroll/HR\n or regex.icontains(subject.subject, 'shared.*\\\".*Payroll')\n or regex.icontains(subject.subject, 'shared.*\\\".*Employee Pay\\b')\n or regex.icontains(subject.subject, 'shared.*\\\".*Salary')\n or regex.icontains(subject.subject, 'shared.*\\\".*Benefit Enrollment')\n or regex.icontains(subject.subject, 'shared.*\\\".*Employee Handbook')\n or regex.icontains(subject.subject, 'shared.*\\\".*Reimbursement Approved')\n\n\n // shared files/extenstion\n or regex.icontains(subject.subject, 'shared.*\\\".*Shared.?File')\n or regex.icontains(subject.subject, 'shared.*\\\".*Urgent')\n or regex.icontains(subject.subject, 'shared.*\\\".*Important')\n or regex.icontains(subject.subject, 'shared.*\\\".*Secure')\n or regex.icontains(subject.subject, 'shared.*\\\".*Encrypt')\n or regex.icontains(subject.subject, 'shared.*\\\".*shared')\n or regex.icontains(subject.subject, 'shared.*\\\".*protected')\n or regex.icontains(subject.subject, 'shared.*\\\".*\\.docx?\\.pdf')\n or regex.icontains(subject.subject, 'shared.*\\\".*\\.docx?\\.paper')\n // all caps filename allowing for numbers, punct and spaces, and an optional file extenstion\n or regex.contains(subject.subject,\n 'shared \\\"[A-Z0-9[:punct:]\\s]+(?:\\.[a-zA-Z]{3,5})\\\"'\n )\n or regex.icontains(subject.subject,\n 'shared \\\".*(?:shared|sent).*\\\" with you'\n )\n\n // MFA theme\n or regex.icontains(subject.subject, 'shared.*\\\".*Verification Code')\n or regex.icontains(subject.subject, 'shared.*\\\".*\\bMFA\\b')\n\n\n\n // or regex.icontains(subject.subject, 'shared.*\\\".*Project Proposal')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Project Agreement')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Price List')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Follow Up')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Approved Proposal')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Pay App')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Funding Proposal')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Investment Bid')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Signed Agreement')\n\n\n // the reply-to address is within the subject\n or any(headers.reply_to,\n strings.icontains(subject.subject, .email.domain.domain)\n )\n )\n)\n" +source: "type.inbound\n\n// Legitimate Dropbox sending infratructure\nand sender.email.email == \"no-reply@dropbox.com\"\nand headers.auth_summary.spf.pass\nand headers.auth_summary.dmarc.pass\nand strings.ends_with(headers.auth_summary.spf.details.designator,\n '.dropbox.com'\n)\nand strings.icontains(subject.subject, 'shared')\nand strings.icontains(subject.subject, 'with you')\nand (\n // contains the word dropbox\n // everything not \"shared\" and \"with you\" is actor controlled\n strings.icontains(subject.subject, 'dropbox')\n or strings.icontains(subject.subject, 'sharefile')\n\n // sender names part of the subject\n or (\n // Billing Accounting\n regex.icontains(subject.subject,\n 'Accounts? (?:Payable|Receivable).*shared',\n 'Billing Support.*shared'\n )\n\n // HR/Payroll/Legal/etc\n or regex.icontains(subject.subject, 'Compliance HR.*shared')\n or regex.icontains(subject.subject,\n '(?:Compliance|Executive|Finance|\\bHR\\b|\\bIT\\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*shared'\n )\n or regex.icontains(subject.subject, '(?:Department|Team).*shared')\n or regex.icontains(subject.subject, 'Corporate Communications.*shared')\n or regex.icontains(subject.subject, 'Employee Relations.*shared')\n or regex.icontains(subject.subject, 'Office Manager.*shared')\n or regex.icontains(subject.subject, 'Risk Management.*shared')\n or regex.icontains(subject.subject, 'Payroll Admin(?:istrator).*shared')\n or regex.icontains(subject.subject, 'Human Resources.*shared')\n or regex.icontains(subject.subject, 'HR.*shared')\n\n // IT related\n or regex.icontains(subject.subject,\n 'IT Support.*shared',\n 'Information Technology.*shared',\n '(?:Network|System)? Admin(?:istrator).*shared',\n 'Help Desk.*shared',\n 'Tech(?:nical) Support.*shared'\n )\n\n // an email address in the subject is also interesting\n or regex.icontains(subject.subject, '\\w+@\\w+\\.\\w+.*shared')\n )\n // filename analysis\n // the filename is also contianed in the subject line\n or\n (\n // scanner themed\n regex.icontains(subject.subject, 'shared.*\\\".*scanne[rd]')\n // image theme\n or regex.icontains(subject.subject, 'shared.*\\\".*_IMG_')\n or regex.icontains(subject.subject, 'shared.*\\\".*IMG[_-](?:\\d|\\W)+\\\"')\n // ondrive theme\n or regex.icontains(subject.subject, 'shared.*\\\".*one_docx')\n or regex.icontains(subject.subject, 'shared.*\\\".*One.?Drive')\n or regex.icontains(subject.subject, 'shared.*\\\".*click here')\n or regex.icontains(subject.subject, 'shared.*\\\".*Download PDF')\n or regex.icontains(subject.subject, 'shared.*\\\".*Validate')\n\n // Invoice Themes\n or regex.icontains(subject.subject, 'shared.*\\\".*Invoice')\n or regex.icontains(subject.subject, 'shared.*\\\".*INV\\b')\n or regex.icontains(subject.subject, 'shared.*\\\".*Payment')\n or regex.icontains(subject.subject, 'shared.*\\\".*ACH')\n or regex.icontains(subject.subject, 'shared.*\\\".*Wire Confirmation')\n or regex.icontains(subject.subject, 'shared.*\\\".*P[O0]\\W+?\\d+\\\"')\n or regex.icontains(subject.subject, 'shared.*\\\"P[O0](?:\\W+?|\\d+)')\n or regex.icontains(subject.subject, 'shared.*\\\".*receipt')\n or regex.icontains(subject.subject, 'shared.*\\\".*Billing')\n or regex.icontains(subject.subject, 'shared.*\\\".*statement')\n or regex.icontains(subject.subject, 'shared.*\\\".*Past Due')\n or regex.icontains(subject.subject, 'shared.*\\\".*Remit(?:tance)?')\n or regex.icontains(subject.subject, 'shared.*\\\".*Purchase Order')\n or regex.icontains(subject.subject, 'shared.*\\\".*Settlement')\n \n // contract language\n or regex.icontains(subject.subject, 'shared.*\\\".*Contract Agreement')\n or regex.icontains(subject.subject, 'shared.*\\\".*Pr[0o]p[0o]sal')\n or regex.icontains(subject.subject, 'shared.*\\\".*Contract Doc')\n\n or regex.icontains(subject.subject, 'shared.*\\\".*Claim Doc')\n\n // Payroll/HR\n or regex.icontains(subject.subject, 'shared.*\\\".*Payroll')\n or regex.icontains(subject.subject, 'shared.*\\\".*Employee Pay\\b')\n or regex.icontains(subject.subject, 'shared.*\\\".*Salary')\n or regex.icontains(subject.subject, 'shared.*\\\".*Benefit Enrollment')\n or regex.icontains(subject.subject, 'shared.*\\\".*Employee Handbook')\n or regex.icontains(subject.subject, 'shared.*\\\".*Reimbursement Approved')\n\n\n // shared files/extenstion\n or regex.icontains(subject.subject, 'shared.*\\\".*Shared.?File')\n or regex.icontains(subject.subject, 'shared.*\\\".*Urgent')\n or regex.icontains(subject.subject, 'shared.*\\\".*Important')\n or regex.icontains(subject.subject, 'shared.*\\\".*Secure')\n or regex.icontains(subject.subject, 'shared.*\\\".*Encrypt')\n or regex.icontains(subject.subject, 'shared.*\\\".*shared')\n or regex.icontains(subject.subject, 'shared.*\\\".*protected')\n or regex.icontains(subject.subject, 'shared.*\\\".*\\.docx?\\.pdf')\n or regex.icontains(subject.subject, 'shared.*\\\".*\\.docx?\\.paper')\n // all caps filename allowing for numbers, punct and spaces, and an optional file extenstion\n or regex.contains(subject.subject,\n 'shared \\\"[A-Z0-9[:punct:]\\s]+(?:\\.[a-zA-Z]{3,5})\\\"'\n )\n or regex.icontains(subject.subject,\n 'shared \\\".*(?:shared|sent).*\\\" with you'\n )\n\n // MFA theme\n or regex.icontains(subject.subject, 'shared.*\\\".*Verification Code')\n or regex.icontains(subject.subject, 'shared.*\\\".*\\bMFA\\b')\n\n\n\n // or regex.icontains(subject.subject, 'shared.*\\\".*Project Proposal')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Project Agreement')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Price List')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Follow Up')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Approved Proposal')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Pay App')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Funding Proposal')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Investment Bid')\n // or regex.icontains(subject.subject, 'shared.*\\\".*Signed Agreement')\n\n\n // the reply-to address is within the subject\n or any(headers.reply_to,\n strings.icontains(subject.subject, .email.domain.domain)\n )\n )\n)\n" attack_types: - "Callback Phishing" - "BEC/Fraud" @@ -15,4 +15,4 @@ detection_methods: - "Content analysis" id: "27007c9f-e738-584f-8b49-74710f9ef9a6" testing_pr: 2077 -testing_sha: f7e14d14d7c62a1e61850bf70d3c325a191c6f90 +testing_sha: e5a99885d27fffdd6182f61dd8469f8f3f4634e7