From e9078db87236bbfe6ccdd9a6656305569207da45 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Wed, 18 Dec 2024 10:00:24 -0600 Subject: [PATCH] Create abuse_docsend_unsolicited_reply-to.yml (#2165) Co-authored-by: ID Generator Co-authored-by: Aiden Mitchell --- .../abuse_docsend_unsolicited_reply-to.yml | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 detection-rules/abuse_docsend_unsolicited_reply-to.yml diff --git a/detection-rules/abuse_docsend_unsolicited_reply-to.yml b/detection-rules/abuse_docsend_unsolicited_reply-to.yml new file mode 100644 index 00000000000..f4e6bc0ab78 --- /dev/null +++ b/detection-rules/abuse_docsend_unsolicited_reply-to.yml @@ -0,0 +1,56 @@ +name: "Service Abuse: DocSend Share From an Unsolicited Reply-To Address" +description: "DocSend shares which contain a reply-to address or domain that has not been previously observed by the recipient organization." +type: "rule" +severity: "high" +source: | + type.inbound + + // Legitimate DocSend sending infratructure + and sender.email.email == "no-reply@docsend.com" + and headers.auth_summary.spf.pass + and headers.auth_summary.dmarc.pass + + // the message needs to have a reply-to address + and length(headers.reply_to) > 0 + + // reply-to email address has never been sent an email by the org + and not ( + any(headers.reply_to, .email.email in $recipient_emails) + // if the reply-to email address is NOT in free_email_providers, check the domain in recipient_domains + or any(filter(headers.reply_to, + // filter the list to only emails that are not in free_email_providers + ( + .email.domain.domain not in $free_email_providers + or .email.domain.root_domain not in $free_email_providers + ) + ), + .email.domain.domain in $recipient_domains + ) + ) + // reply-to address has never sent an email to the org + and not ( + any(headers.reply_to, .email.email in $sender_emails) + // if the reply-to address is NOT in free_email_providers, check the domain in sender_domains + or any(filter(headers.reply_to, + // filter the list to only emails that are not in free_email_providers + ( + .email.domain.domain not in $free_email_providers + or .email.domain.root_domain not in $free_email_providers + ) + ), + .email.domain.domain in $sender_domains + ) + ) +tags: + - "Attack surface reduction" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Free file host" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" +id: "b377e64c-21bd-5040-86ec-534e545a42db"