From 8a98a852b574a04ddf4ae77f03f41dd584e2627f Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 18 Sep 2023 09:34:06 -0400 Subject: [PATCH 1/4] FP fix: Update link_credential_phishing_intent_and_other_indicators.yml (#790) --- ...ink_credential_phishing_intent_and_other_indicators.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml index 9a305f9ede5..c564026ff9a 100644 --- a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml +++ b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml @@ -279,7 +279,8 @@ source: | // this is common in link tracking, both for // benign marketing traffic but also attackers any(recipients.to, - strings.icontains(..href_url.url, .email.local_part) + .email.domain.valid + and strings.icontains(..href_url.url, .email.local_part) and strings.icontains(..href_url.url, .email.domain.domain) ) ) @@ -290,12 +291,12 @@ source: | and ( // freemail providers should never be sending this type of email sender.email.domain.domain in $free_email_providers - + // if not freemail, it's suspicious if the sender's root domain // doesn't match any links in the body or all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain) ) - + // first-time sender and ( ( From e116d257a4a5998a208e64c191a51c798f96152d Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Mon, 18 Sep 2023 08:44:26 -0700 Subject: [PATCH 2/4] Updating rule: impersonation_amazon.yml (#795) --- detection-rules/impersonation_amazon.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index 0070ab55275..9ff86750df6 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -25,6 +25,11 @@ source: | and sender.email.domain.root_domain in $free_email_providers ) ) + // negate listservs + and not ( + any(headers.hops, any(.fields, .name == "List-Unsubscribe")) + and strings.contains(sender.display_name, "via") + ) and sender.email.domain.root_domain not in~ ( 'amazon.com', 'amazon.com.au', From 3bdf87800e0f993e8877a5efad0e43ac612edc56 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Mon, 18 Sep 2023 08:46:36 -0700 Subject: [PATCH 3/4] Updating rule: impersonation_amazon.yml (#794) --- detection-rules/impersonation_amazon.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index 9ff86750df6..a3c4eb0f132 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -33,6 +33,7 @@ source: | and sender.email.domain.root_domain not in~ ( 'amazon.com', 'amazon.com.au', + 'amazon.com.be', 'amazon.co.uk', 'amazon.de', 'amazon.es', From bf62f17de84c0f7f21def7cf41c4015f552ab5f6 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Mon, 18 Sep 2023 08:48:58 -0700 Subject: [PATCH 4/4] Updating rule: impersonation_github.yml (#796) --- detection-rules/impersonation_github.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/detection-rules/impersonation_github.yml b/detection-rules/impersonation_github.yml index 7f60c752bac..8b3b3e79a5f 100644 --- a/detection-rules/impersonation_github.yml +++ b/detection-rules/impersonation_github.yml @@ -13,6 +13,11 @@ source: | or strings.ilike(sender.email.email, '*github*') or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1 ) + // negating listservs + and not ( + any(headers.hops, any(.fields, .name == "List-Unsubscribe")) + and strings.contains(sender.display_name, "via") + ) and sender.email.domain.root_domain not in ( 'github.com', 'gitlab.com',