From d4a3656d20938ca4a44807f0750dd642d5472036 Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Mon, 4 Nov 2024 14:00:24 +0000 Subject: [PATCH] Sync from PR#2002 Create mismatched_display_url_suspicious_href_tld.yml by @morriscode https://github.com/sublime-security/sublime-rules/pull/2002 Source SHA 39811f04a215f2b8d0ca06bfaf1c543bd0559e0c Triggered by @morriscode --- ...atched_display_url_suspicious_href_tld.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 detection-rules/mismatched_display_url_suspicious_href_tld.yml diff --git a/detection-rules/mismatched_display_url_suspicious_href_tld.yml b/detection-rules/mismatched_display_url_suspicious_href_tld.yml new file mode 100644 index 00000000000..c870c92b1d0 --- /dev/null +++ b/detection-rules/mismatched_display_url_suspicious_href_tld.yml @@ -0,0 +1,30 @@ +name: "Display url mismatch leading to suspicious TLD" +description: "This rule detects messages that do not original from a suspicious TLD, but contain a link mismatch where the destination url is a suspicious tld. " +type: "rule" +severity: "medium" +source: | + type.inbound + and 0 < length(body.links) < 30 + and not any([subject.subject, sender.display_name], + regex.icontains(., '(а|е|и|о|у)') + ) + and sender.email.domain.tld not in $suspicious_tlds + and any(body.links, + not strings.contains(.display_url.url, "@") + and .display_url.domain.tld not in $suspicious_tlds + and .mismatched + and .href_url.domain.tld in $suspicious_tlds + and not .href_url.domain.root_domain == "avanan.click" + and not .href_url.domain.root_domain == "emailprotection.link" + and not .display_url.url =~ "chownow.com" + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Content analysis" + - "URL analysis" +id: "07b13707-92c5-599a-b6da-1cb2d26dab14" +testing_pr: 2002 +testing_sha: 39811f04a215f2b8d0ca06bfaf1c543bd0559e0c