diff --git a/detection-rules/credential_phishing_esign_document_notification.yml b/detection-rules/credential_phishing_esign_document_notification.yml index 4697343102e..357b3b6f6c5 100644 --- a/detection-rules/credential_phishing_esign_document_notification.yml +++ b/detection-rules/credential_phishing_esign_document_notification.yml @@ -47,6 +47,9 @@ source: | "docufile", "E­-­S­i­g­n­&Return", "document.signature", + "Electronic.?Signature", + "Complete: ", + "Please Review" ) ) and ( @@ -61,12 +64,15 @@ source: | or regex.icontains(body.html.raw, '(]*> 

\s*){7,}') or strings.count(body.html.raw, ' ‌ ‌ ') > 50 or regex.count(body.html.raw, - '\s*[a-z]\s*<\/span>\s*[a-z]+\s*<\/span>' - ) > 50 + '\s*[a-z]\s*<\/span>\s*[a-z]+\s*<\/span>' + ) > 50 // lookalike docusign or regex.icontains(body.html.raw, '>Docus[1l]gn<') + or (regex.icontains(body.html.inner_text, 'Document') and length(body.html.inner_text) < 300) // common greetings via email.local_part - or any(recipients.to, strings.icontains(body.current_thread.text, .email.local_part)) + or any(recipients.to, + strings.icontains(body.current_thread.text, .email.local_part) + ) // HR impersonation or strings.ilike(sender.display_name, "HR", "H?R", "*Human Resources*") ) @@ -87,7 +93,9 @@ source: | '(listen|play).{0,10}(vm|voice)', 'clarify.{0,20}(deposit|wallet|funds)', 'enter.{0,15}teams', - 'Review and sign' + 'Review and sign', + 'REVIEW.*DOCUMENT' + ) ) or any(body.links, @@ -108,6 +116,51 @@ source: | and regex.match(.display_text, "^[^a-z]*[A-Z][^a-z]*$") ) ) + or ( + length(attachments) > 0 + and any(attachments, + ( + regex.icontains(beta.ocr(.).text, + "activate", + "re-auth", + "verify", + "acknowledg", + "(keep|change).{0,20}(active|password|access)", + '((verify|view|click|download|goto|keep|Vιew|release).{0,15}(attachment|current|download|fax|file|document|message|same)s?)', + 'use.same.pass', + 'validate.{0,15}account', + 'recover.{0,15}messages', + '(retry|update).{0,10}payment', + 'check activity', + '(listen|play).{0,10}(vm|voice)', + 'clarify.{0,20}(deposit|wallet|funds)', + 'enter.{0,15}teams', + 'Review and sign' + ) + ) + or ( + any(file.explode(.), + regex.icontains(.scan.ocr.raw, + "activate", + "re-auth", + "verify", + "acknowledg", + "(keep|change).{0,20}(active|password|access)", + '((verify|view|click|download|goto|keep|Vιew|release).{0,15}(attachment|current|download|fax|file|document|message|same)s?)', + 'use.same.pass', + 'validate.{0,15}account', + 'recover.{0,15}messages', + '(retry|update).{0,10}payment', + 'check activity', + '(listen|play).{0,10}(vm|voice)', + 'clarify.{0,20}(deposit|wallet|funds)', + 'enter.{0,15}teams', + 'Review and sign' + ) + ) + ) + ) + ) ) and ( not profile.by_sender().solicited @@ -117,7 +170,7 @@ source: | ) ) and not profile.by_sender().any_false_positives - + // negate replies/fowards containing legitimate docs and not ( length(headers.references) > 0 @@ -136,7 +189,6 @@ source: | ) or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) - attack_types: - "Credential Phishing" tactics_and_techniques: