Skip to content

Commit

Permalink
Update spam_attendee_list_solicitation.yml (#2022)
Browse files Browse the repository at this point in the history
  • Loading branch information
@morriscode
morriscode authored Oct 25, 2024
1 parent a4ecfed commit b84c090
Showing 1 changed file with 75 additions and 16 deletions.
91 changes: 75 additions & 16 deletions detection-rules/spam_attendee_list_solicitation.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,27 +7,86 @@ source: |
and length(body.current_thread.text) < 2000
and length(body.links) < 5
and (
regex.icontains(body.current_thread.text,
"(Attendee|Member|Participant|User|Visitor|Registrant|Buyer|Email)(s)?[^\n\r]{0,20}(list|database)"
(
(
any([subject.subject, body.current_thread.text],
(
regex.icontains(.,
'(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list(?:\b|[^ei])|database)'
)
and not (
regex.icount(., 'email(?:[[:punct:]]*s)?(?:\s\w*){0,9}list') == 1
and regex.icontains(.,
'(?:unsub|remove|safe|delete)[[:punct:]]*s?(?:\s\w*){0,9}(mailing|email).{0,9}list(?:\b|[^ei])',
'email list(?:\b|[^ei])[[:punct:]]*s?(\s\w*){0,5}(?:unsub|remove|safe|delete)'
)
)
)
or regex.icontains(.,
'(?:list|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)s?'
)
)
)
and regex.icontains(body.current_thread.text,
"(?:interested|accessing|purchas|obtain|acuir|sample)"
)
and not regex.icontains(body.current_thread.text,
"(?:debit card|transaction.{0,20}processed)"
)
)
or regex.icontains(body.current_thread.text,
"(list|database)[^\n\r]{0,20}(Attendee|Member|Participant|User|Visitor|Registrant|Buyer|Email)(s)?"
// if there are indicators of a previous thread, also inspect the previous thread
or (
// contains references to the previous thread
2 of (
regex.icontains(body.current_thread.text, '(?:get|got|had) a chance'),
regex.icontains(body.current_thread.text,
'(?:below|previous|last|prior) email'
),
regex.icontains(body.current_thread.text, 'follow(?:ing)? up'),
regex.icontains(body.current_thread.text, '(?:contact|attendee)s? list'),
strings.icontains(body.current_thread.text, 'heard back'),
)
and any([body.html.display_text, body.plain.raw],
(
3 of (
strings.icontains(., "from:"),
strings.icontains(., "to:"),
strings.icontains(., "sent:"),
strings.icontains(., "date:"),
strings.icontains(., "cc:"),
strings.icontains(., "subject:")
)
or strings.icontains(.,
strings.concat(sender.display_name,
" <",
sender.email.email,
"> wrote:"
)
)
)
// match _after_ the previous thread indciators
and (
regex.icontains(.,
'(?:from|to|sent|date|cc|subject|wrote):.*(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)(?:[[:punct:]]*s)?(?:\s\w*){0,9}(?:list(?:\b|[^ei])|database)'
)
or regex.icontains(.,
'(?:from|to|sent|date|cc|subject|wrote):.*(?:list(?:\b|[^ei])|database)(?:[[:punct:]]*s)?(\s\w*){0,9}(?:Attendee|Buyer|Contact|Decision Maker|Email|Member|Participant|Professional|Registrant|User|Visitor)s?'
)
or (
2 of (
strings.icontains(., "provide counts"),
regex.icontains(., "(?:verified|fresh) data"),
strings.icontains(., "precise targeting"),
strings.icontains(., "deliverability")
)
and regex.icontains(., '(?:list(?:\b|[^ei])|database)')
)
)
)
)
or regex.icontains(body.current_thread.text,
'((demand|lead\b|marketing)[^\n\r]{0,20}(manager|head|lead|supervisor|executive))'
)
)
and regex.icontains(body.current_thread.text,
"(interested|accessing|purchas|obtain|acuir|sample)"
)
and not regex.icontains(body.current_thread.text,
"(debit card|transaction.{0,20}processed)"
)
and not profile.by_sender().solicited
and not profile.by_sender().any_false_positives
tags:
- "Attack surface reduction"
attack_types:
Expand Down

0 comments on commit b84c090

Please sign in to comment.