diff --git a/detection-rules/abuse_dropbox_sus_names.yml b/detection-rules/abuse_dropbox_sus_names.yml new file mode 100644 index 00000000000..eff94846d7b --- /dev/null +++ b/detection-rules/abuse_dropbox_sus_names.yml @@ -0,0 +1,144 @@ +name: "Service Abuse: DropBox Share with Suspicious Sender or Document Name" +description: "The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name." +type: "rule" +severity: "medium" +source: | + type.inbound + + // Legitimate Dropbox sending infratructure + and sender.email.email == "no-reply@dropbox.com" + and headers.auth_summary.spf.pass + and headers.auth_summary.dmarc.pass + and strings.ends_with(headers.auth_summary.spf.details.designator, + '.dropbox.com' + ) + and strings.icontains(subject.subject, 'shared') + and strings.icontains(subject.subject, 'with you') + and ( + // contains the word dropbox + // everything not "shared" and "with you" is actor controlled + strings.icontains(subject.subject, 'dropbox') + or strings.icontains(subject.subject, 'sharefile') + + // sender names part of the subject + or ( + // Billing Accounting + regex.icontains(subject.subject, + 'Accounts? (?:Payable|Receivable).*shared', + 'Billing Support.*shared' + ) + + // HR/Payroll/Legal/etc + or regex.icontains(subject.subject, 'Compliance HR.*shared') + or regex.icontains(subject.subject, + '(?:Compliance|Executive|Finance|\bHR\b|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*shared' + ) + or regex.icontains(subject.subject, '(?:Department|Team).*shared') + or regex.icontains(subject.subject, 'Corporate Communications.*shared') + or regex.icontains(subject.subject, 'Employee Relations.*shared') + or regex.icontains(subject.subject, 'Office Manager.*shared') + or regex.icontains(subject.subject, 'Risk Management.*shared') + or regex.icontains(subject.subject, 'Payroll Admin(?:istrator).*shared') + or regex.icontains(subject.subject, 'Human Resources.*shared') + or regex.icontains(subject.subject, 'HR.*shared') + + // IT related + or regex.icontains(subject.subject, + 'IT Support.*shared', + 'Information Technology.*shared', + '(?:Network|System)? Admin(?:istrator).*shared', + 'Help Desk.*shared', + 'Tech(?:nical) Support.*shared' + ) + + // an email address in the subject is also interesting + or regex.icontains(subject.subject, '\w+@\w+\.\w+.*shared') + ) + // filename analysis + // the filename is also contianed in the subject line + or + ( + // scanner themed + regex.icontains(subject.subject, 'shared.*\".*scanne[rd]') + // image theme + or regex.icontains(subject.subject, 'shared.*\".*_IMG_') + or regex.icontains(subject.subject, 'shared.*\".*IMG[_-](?:\d|\W)+\"') + // ondrive theme + or regex.icontains(subject.subject, 'shared.*\".*one_docx') + or regex.icontains(subject.subject, 'shared.*\".*One.?Drive') + or regex.icontains(subject.subject, 'shared.*\".*click here') + or regex.icontains(subject.subject, 'shared.*\".*Download PDF') + or regex.icontains(subject.subject, 'shared.*\".*Validate') + + // Invoice Themes + or regex.icontains(subject.subject, 'shared.*\".*Invoice') + or regex.icontains(subject.subject, 'shared.*\".*INV\b') + or regex.icontains(subject.subject, 'shared.*\".*Payment') + or regex.icontains(subject.subject, 'shared.*\".*ACH') + or regex.icontains(subject.subject, 'shared.*\".*Wire Confirmation') + or regex.icontains(subject.subject, 'shared.*\".*P[O0]\W+?\d+\"') + or regex.icontains(subject.subject, 'shared.*\"P[O0](?:\W+?|\d+)') + or regex.icontains(subject.subject, 'shared.*\".*receipt') + or regex.icontains(subject.subject, 'shared.*\".*Billing') + or regex.icontains(subject.subject, 'shared.*\".*statement') + or regex.icontains(subject.subject, 'shared.*\".*Past Due') + or regex.icontains(subject.subject, 'shared.*\".*Remit(?:tance)?') + or regex.icontains(subject.subject, 'shared.*\".*Purchase Order') + or regex.icontains(subject.subject, 'shared.*\".*Settlement') + + // contract language + or regex.icontains(subject.subject, 'shared.*\".*Contract Agreement') + or regex.icontains(subject.subject, 'shared.*\".*Pr[0o]p[0o]sal') + or regex.icontains(subject.subject, 'shared.*\".*Contract Doc') + + or regex.icontains(subject.subject, 'shared.*\".*Claim Doc') + + // Payroll/HR + or regex.icontains(subject.subject, 'shared.*\".*Payroll') + or regex.icontains(subject.subject, 'shared.*\".*Employee Pay\b') + or regex.icontains(subject.subject, 'shared.*\".*Salary') + or regex.icontains(subject.subject, 'shared.*\".*Benefit Enrollment') + or regex.icontains(subject.subject, 'shared.*\".*Employee Handbook') + or regex.icontains(subject.subject, 'shared.*\".*Reimbursement Approved') + + + // shared files/extenstion + or regex.icontains(subject.subject, 'shared.*\".*Shared.?File') + or regex.icontains(subject.subject, 'shared.*\".*Urgent') + or regex.icontains(subject.subject, 'shared.*\".*Important') + or regex.icontains(subject.subject, 'shared.*\".*Secure') + or regex.icontains(subject.subject, 'shared.*\".*Encrypt') + or regex.icontains(subject.subject, 'shared.*\".*shared') + or regex.icontains(subject.subject, 'shared.*\".*protected') + or regex.icontains(subject.subject, 'shared.*\".*\.docx?\.pdf') + or regex.icontains(subject.subject, 'shared.*\".*\.docx?\.paper') + // all caps filename allowing for numbers, punct and spaces, and an optional file extenstion + or regex.contains(subject.subject, + 'shared \"[A-Z0-9[:punct:]\s]+(?:\.[a-zA-Z]{3,5})\"' + ) + or regex.icontains(subject.subject, + 'shared \".*(?:shared|sent).*\" with you' + ) + + // MFA theme + or regex.icontains(subject.subject, 'shared.*\".*Verification Code') + or regex.icontains(subject.subject, 'shared.*\".*\bMFA\b') + + // the reply-to address is within the subject + or any(headers.reply_to, + strings.icontains(subject.subject, .email.domain.domain) + ) + ) + ) + +attack_types: + - "Callback Phishing" + - "BEC/Fraud" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Sender analysis" + - "Header analysis" + - "Content analysis" +id: "27007c9f-e738-584f-8b49-74710f9ef9a6"