Merge branch 'main' into sam.via.patch.1

sublime-security · Sep 22, 2023 · c2858a2 · c2858a2
2 parents e211608 + f6052cb
commit c2858a2
Show file tree

Hide file tree

Showing 6 changed files with 303 additions and 126 deletions.
diff --git a/detection-rules/attachment_html_smuggling_body_onload.yml b/detection-rules/attachment_html_smuggling_body_onload.yml
@@ -0,0 +1,49 @@
+name: "Attachment: HTML smuggling 'body onload' linking to suspicious destination"
+description: |
+  Potential HTML Smuggling. 
+  This rule inspects HTML attachments that contain a single link and leveraging an HTML body onload event. The linked domain must be in the URLhaus trusted repoters list, or have a suspicious TLD. 
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
+            or (
+              .file_extension is null
+              and .file_type == "unknown"
+              and .content_type == "application/octet-stream"
+            )
+            or .file_extension in~ $file_extensions_common_archives
+            or .file_type == "html"
+            or .content_type == "text/html"
+          )
+          and any(file.explode(.),
+                  not length(.scan.url.invalid_urls) > 0
+                  and length(.scan.url.urls) == 1
+                  and any(.scan.strings.strings, strings.ilike(., "*body onload*"))
+                  and (
+                    any(.scan.url.urls,
+                        .domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
+                        
+                        // To-do uncomment below when list is created
+                        //or .domain.root_domain in $suspicious_root_domains
+                        or .domain.tld in $suspicious_tlds
+                    )
+                  )
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "HTML smuggling"
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "Content analysis"
+  - "File analysis"
+  - "HTML analysis"
+  - "Link analysis"
+id: "c1e2beed-e71e-58d2-b922-9601337645b2"
diff --git a/detection-rules/attachment_html_smuggling_decimal_encoding.yml b/detection-rules/attachment_html_smuggling_decimal_encoding.yml
@@ -0,0 +1,39 @@
+name: "Attachment: HTML smuggling with decimal encoding"
+description: |
+  Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures. 
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
+            or (
+              .file_extension is null
+              and .file_type == "unknown"
+              and .content_type == "application/octet-stream"
+            )
+            or .file_extension in~ $file_extensions_common_archives
+            or .file_type == "html"
+            or .content_type == "text/html"
+          )
+          and any(file.explode(.),
+                  // suspicious identifiers
+                  any(.scan.strings.strings,
+                      regex.contains(., '(\d{2,3},){60,}')
+                  )
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "HTML smuggling"
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "Content analysis"
+  - "File analysis"
+  - "HTML analysis"
+id: "f99213c4-7031-50b1-ae81-b45f790d3fa4"
diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml
@@ -10,7 +10,12 @@ source: |
   )
   // negating legit replies
   and not (
-    strings.istarts_with(subject.subject, "RE:")
+    (
+      strings.istarts_with(subject.subject, "RE:")
+      // out of office auto-reply
+      // the NLU model will handle these better natively soon
+      or strings.istarts_with(subject.subject, "Automatic reply:")
+    )
     and (
       length(headers.references) > 0
       or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))

diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml
@@ -25,7 +25,11 @@ source: |
       all(body.links,
           .href_url.domain.root_domain != sender.email.domain.root_domain
           and .href_url.domain.root_domain not in $org_domains
-          and .href_url.domain.root_domain not in ("unitelvoice.com", "googleapis.com", "dialmycalls.com")
+          and .href_url.domain.root_domain not in (
+            "unitelvoice.com",
+            "googleapis.com",
+            "dialmycalls.com"
+          )
       )
     ),
     (
@@ -34,6 +38,20 @@ source: |
     ),
   )
   and sender.email.domain.root_domain not in ("magicjack.com", "unitelvoice.com")
+  
+  // negating legit replies
+  and not (
+    (
+      strings.istarts_with(subject.subject, "RE:")
+      // out of office auto-reply
+      // the NLU model will handle these better natively soon
+      or strings.istarts_with(subject.subject, "Automatic reply:")
+    )
+    and (
+      length(headers.references) > 0
+      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+    )
+  )
   and (
     (
       sender.email.domain.root_domain in $free_email_providers