Update link_credential_phishing_voicemail_language.yml (#863)

sublime-security · Oct 18, 2023 · d6ed917 · d6ed917
1 parent ff301af
commit d6ed917
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 11 deletions.
diff --git a/detection-rules/attachment_eml_html_attachment_portal.yml b/detection-rules/attachment_eml_html_attachment_portal.yml
@@ -8,7 +8,7 @@ source: |
 
   // exclude bounce backs & read receipts
   and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
-  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
+  and not regex.imatch(subject.subject, "(undeliverable|read:).*")
   and not any(attachments, .content_type == "message/delivery-status")
 
   // if the "References" is in the body of the message, it's probably a bounce

diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml
@@ -10,8 +10,8 @@ source: |
   // voicemail related
   and (
     any([subject.subject, sender.display_name, ],
-        regex.icontains(., '(voice)\s?(mail|message|recording|call)|transcription')
-        or regex.contains(body.current_thread.text, '(voice)\s?(mail|message|recording|call)')
+        regex.icontains(., '(voice|audio)\s?(mail|message|recording|call)|transcription')
+        or regex.contains(body.current_thread.text, '(voice|audio)\s?(mail|message|recording|call)')
     )
   )
     and 2 of (
@@ -45,12 +45,10 @@ source: |
         )
       ),
     )
-    and (
-      sender.email.domain.root_domain not in ("magicjack.com", "unitelvoice.com", "voipinterface.net")
-      or not any(attachments, strings.starts_with(.content_type, "audio"))
-    )
-  
-    // negating legit replies
+    
+  // negating legit replies and legitimate audio file attachments and known voicemail senders
+  and sender.email.domain.root_domain not in ("magicjack.com", "unitelvoice.com", "voipinterface.net")
+  and not any(attachments, strings.starts_with(.content_type, "audio"))
     and not (
       (
         strings.istarts_with(subject.subject, "RE:")
@@ -71,6 +69,7 @@ source: |
       and not profile.by_sender().any_false_positives
     )
   )
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:

diff --git a/detection-rules/recipients_undisclosed_nlu_cred_theft_low_rep_links.yml b/detection-rules/recipients_undisclosed_nlu_cred_theft_low_rep_links.yml
@@ -13,7 +13,7 @@ source: |
         regex.icontains(.display_text,
                         '(view|click|download|goto)?(attachment|download|file|online|document)s?'
         )
-        or all(body.links, regex.contains(.display_text, "^[A-Z ]+$"))
+        or all(body.links, regex.match(.display_text, "[A-Z ]+"))
     )
   )
   and any(ml.nlu_classifier(body.current_thread.text).intents,

diff --git a/signals/sender/sender_display_is_upper.yml b/signals/sender/sender_display_is_upper.yml
@@ -1,4 +1,4 @@
 name: "Sender: Display Name Contains All Capital Letters"
 type: "query"
 source: |
-  regex.match(sender.display_name, "^[^a-z]*[A-Z][^a-z]*$")
+  regex.match(sender.display_name, "[^a-z]*[A-Z][^a-z]*")