Create abuse_dropbox_sus_names.yml

detection-rules/abuse_dropbox_sus_names.yml

@@ -0,0 +1,144 @@
+name: "Service Abuse: DropBox Share with Suspicious Sender or Document Name"
+description: "The detection rule is intended to match on messages sent from DropBox indicating a shared file to the recipient which contains suspicious content within the document or sender display name."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+
+  // Legitimate Dropbox sending infratructure
+  and sender.email.email == "[email protected]"
+  and headers.auth_summary.spf.pass
+  and headers.auth_summary.dmarc.pass
+  and strings.ends_with(headers.auth_summary.spf.details.designator,
+                        '.dropbox.com'
+  )
+  and strings.icontains(subject.subject, 'shared')
+  and strings.icontains(subject.subject, 'with you')
+  and (
+    // contains the word dropbox
+    // everything not "shared" and "with you" is actor controlled
+    strings.icontains(subject.subject, 'dropbox')
+    or strings.icontains(subject.subject, 'sharefile')
+
+    // sender names part of the subject
+    or (
+      // Billing Accounting
+      regex.icontains(subject.subject,
+                      'Accounts? (?:Payable|Receivable).*shared',
+                      'Billing Support.*shared'
+      )
+
+      // HR/Payroll/Legal/etc
+      or regex.icontains(subject.subject, 'Compliance HR.*shared')
+      or regex.icontains(subject.subject,
+                         '(?:Compliance|Executive|Finance|\bHR\b|\bIT\b|Legal|Payroll|Purchasing|Operations|Security|Training|Support).*shared'
+      )
+      or regex.icontains(subject.subject, '(?:Department|Team).*shared')
+      or regex.icontains(subject.subject, 'Corporate Communications.*shared')
+      or regex.icontains(subject.subject, 'Employee Relations.*shared')
+      or regex.icontains(subject.subject, 'Office Manager.*shared')
+      or regex.icontains(subject.subject, 'Risk Management.*shared')
+      or regex.icontains(subject.subject, 'Payroll Admin(?:istrator).*shared')
+      or regex.icontains(subject.subject, 'Human Resources.*shared')
+      or regex.icontains(subject.subject, 'HR.*shared')
+
+      // IT related
+      or regex.icontains(subject.subject,
+                         'IT Support.*shared',
+                         'Information Technology.*shared',
+                         '(?:Network|System)? Admin(?:istrator).*shared',
+                         'Help Desk.*shared',
+                         'Tech(?:nical) Support.*shared'
+      )
+
+      // an email address in the subject is also interesting
+      or regex.icontains(subject.subject, '\w+@\w+\.\w+.*shared')
+    )
+    // filename analysis
+    // the filename is also contianed in the subject line
+    or
+    (
+      // scanner themed
+      regex.icontains(subject.subject, 'shared.*\".*scanne[rd]')
+      // image theme
+      or regex.icontains(subject.subject, 'shared.*\".*_IMG_')
+      or regex.icontains(subject.subject, 'shared.*\".*IMG[_-](?:\d|\W)+\"')
+      // ondrive theme
+      or regex.icontains(subject.subject, 'shared.*\".*one_docx')
+      or regex.icontains(subject.subject, 'shared.*\".*One.?Drive')
+      or regex.icontains(subject.subject, 'shared.*\".*click here')
+      or regex.icontains(subject.subject, 'shared.*\".*Download PDF')
+      or regex.icontains(subject.subject, 'shared.*\".*Validate')
+
+      // Invoice Themes
+      or regex.icontains(subject.subject, 'shared.*\".*Invoice')
+      or regex.icontains(subject.subject, 'shared.*\".*INV\b')
+      or regex.icontains(subject.subject, 'shared.*\".*Payment')
+      or regex.icontains(subject.subject, 'shared.*\".*ACH')
+      or regex.icontains(subject.subject, 'shared.*\".*Wire Confirmation')
+      or regex.icontains(subject.subject, 'shared.*\".*P[O0]\W+?\d+\"')
+      or regex.icontains(subject.subject, 'shared.*\"P[O0](?:\W+?|\d+)')
+      or regex.icontains(subject.subject, 'shared.*\".*receipt')
+      or regex.icontains(subject.subject, 'shared.*\".*Billing')
+      or regex.icontains(subject.subject, 'shared.*\".*statement')
+      or regex.icontains(subject.subject, 'shared.*\".*Past Due')
+      or regex.icontains(subject.subject, 'shared.*\".*Remit(?:tance)?')
+      or regex.icontains(subject.subject, 'shared.*\".*Purchase Order')
+      or regex.icontains(subject.subject, 'shared.*\".*Settlement')
+
+      // contract language
+      or regex.icontains(subject.subject, 'shared.*\".*Contract Agreement')
+      or regex.icontains(subject.subject, 'shared.*\".*Pr[0o]p[0o]sal')
+      or regex.icontains(subject.subject, 'shared.*\".*Contract Doc')
+
+      or regex.icontains(subject.subject, 'shared.*\".*Claim Doc')
+
+      // Payroll/HR
+      or regex.icontains(subject.subject, 'shared.*\".*Payroll')
+      or regex.icontains(subject.subject, 'shared.*\".*Employee Pay\b')
+      or regex.icontains(subject.subject, 'shared.*\".*Salary')
+      or regex.icontains(subject.subject, 'shared.*\".*Benefit Enrollment')
+      or regex.icontains(subject.subject, 'shared.*\".*Employee Handbook')
+      or regex.icontains(subject.subject, 'shared.*\".*Reimbursement Approved')
+
+
+      // shared files/extenstion
+      or regex.icontains(subject.subject, 'shared.*\".*Shared.?File')
+      or regex.icontains(subject.subject, 'shared.*\".*Urgent')
+      or regex.icontains(subject.subject, 'shared.*\".*Important')
+      or regex.icontains(subject.subject, 'shared.*\".*Secure')
+      or regex.icontains(subject.subject, 'shared.*\".*Encrypt')
+      or regex.icontains(subject.subject, 'shared.*\".*shared')
+      or regex.icontains(subject.subject, 'shared.*\".*protected')
+      or regex.icontains(subject.subject, 'shared.*\".*\.docx?\.pdf')
+      or regex.icontains(subject.subject, 'shared.*\".*\.docx?\.paper')
+      // all caps filename allowing for numbers, punct and spaces, and an optional file extenstion
+      or regex.contains(subject.subject,
+                        'shared \"[A-Z0-9[:punct:]\s]+(?:\.[a-zA-Z]{3,5})\"'
+      )
+      or regex.icontains(subject.subject,
+                         'shared \".*(?:shared|sent).*\" with you'
+      )
+
+      // MFA theme
+      or regex.icontains(subject.subject, 'shared.*\".*Verification Code')
+      or regex.icontains(subject.subject, 'shared.*\".*\bMFA\b')
+
+      // the reply-to address is within the subject
+      or any(headers.reply_to,
+             strings.icontains(subject.subject, .email.domain.domain)
+      )
+    )
+  )
+
+attack_types:
+  - "Callback Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Sender analysis"
+  - "Header analysis"
+  - "Content analysis"
+id: "27007c9f-e738-584f-8b49-74710f9ef9a6"