Fixing FPs on fake attachment rule (#1123)

sublime-security · Dec 13, 2023 · a6bcb58 · a6bcb58
1 parent 965238c
commit a6bcb58
Showing 1 changed file with 21 additions and 19 deletions.
diff --git a/detection-rules/attachment_fake_attachment_image.yml b/detection-rules/attachment_fake_attachment_image.yml
@@ -1,6 +1,6 @@
 name: "Attachment: Fake attachment image lure"
 description: | 
-  Message body (or attached message body) contains a image faking an Outlook attachment button. The image contains OCR entities that are suspicious.
+  Message (or attached message) contains an image impersonating an Outlook attachment button.
 type: "rule"
 severity: "medium"
 source: |
@@ -9,32 +9,34 @@ source: |
     // fake file attachment preview in original email
     any(attachments,
         .file_type in $file_types_images
-        and .size < 5000
-        and any(file.explode(.),
-                any(ml.nlu_classifier(.scan.ocr.raw).entities,
-                    .name in~ ("financial", "urgency")
-                )
-        )
-        and any(attachments,
-                .file_type in $file_types_images
-                and any(ml.logo_detect(.).brands, .name == "FakeAttachment")
-        )
+        and any(ml.logo_detect(.).brands, .name == "FakeAttachment")
     )
     // fake file attachment preview in attached EML
     or any(attachments,
-           .content_type == "message/rfc822"
+           (.content_type == "message/rfc822" or .file_extension == "eml")
            and any(file.parse_eml(.).attachments,
                    .file_type in $file_types_images
-                   and .size < 5000
-                   and any(file.explode(.),
-                           any(ml.nlu_classifier(.scan.ocr.raw).entities,
-                               .name in~ ("financial", "urgency")
-                           )
-                   )
+                   and any(ml.logo_detect(.).brands, .name == "FakeAttachment")
            )
     )
   )
-
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  and (
+    not profile.by_sender().solicited
+    or profile.by_sender().any_messages_malicious_or_spam
+  )
 tags:
   - "Suspicious attachment"
   - "Suspicious content"