From d643728c57db5f45f0fbcb71f30e6962eafd29a4 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Tue, 30 Jan 2024 15:57:05 -0700 Subject: [PATCH] New Rule (Attachment): PDF with credential theft language and link to a free subdomain (#667) Co-authored-by: ID Generator Co-authored-by: Sam Scholten Co-authored-by: Sam Scholten --- ...tachment_pdf_free_subdomain_cred_theft.yml | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 detection-rules/attachment_pdf_free_subdomain_cred_theft.yml diff --git a/detection-rules/attachment_pdf_free_subdomain_cred_theft.yml b/detection-rules/attachment_pdf_free_subdomain_cred_theft.yml new file mode 100644 index 00000000000..f8d573968e6 --- /dev/null +++ b/detection-rules/attachment_pdf_free_subdomain_cred_theft.yml @@ -0,0 +1,43 @@ +name: "Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)" +description: | + Detects messages with credential theft PDFs linking to free subdomains. +type: "rule" +severity: "medium" +source: | + type.inbound + and any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "cred_theft" and .confidence in ("medium", "high") + ) + and any(attachments, + .file_extension == "pdf" + and any(file.explode(.), + any(.scan.pdf.urls, + .domain.root_domain in $free_subdomain_hosts + and .domain.subdomain is not null + and .domain.subdomain != "www" + ) + and any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "cred_theft" and .confidence in ("medium", "high") + ) + ) + ) + // unsolicited + and ( + not profile.by_sender().solicited + or profile.by_sender().any_messages_malicious_or_spam + ) + + and not profile.by_sender().any_false_positives +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Free subdomain host" + - "PDF" + - "Social engineering" +detection_methods: + - "File analysis" + - "Natural Language Understanding" + - "Optical Character Recognition" + - "Sender analysis" + - "URL analysis" +id: "90f4ef4e-463f-5ea6-ae83-82ea07a30b70"