From 6b9836d00dbdd652b77ec1602a2db399d1f023e4 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 12 Nov 2024 17:32:24 -0500 Subject: [PATCH 1/2] Update impersonation_microsoft_credential_theft.yml --- ...personation_microsoft_credential_theft.yml | 22 ++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/detection-rules/impersonation_microsoft_credential_theft.yml b/detection-rules/impersonation_microsoft_credential_theft.yml index 06b0e693ebb..67a4e682602 100644 --- a/detection-rules/impersonation_microsoft_credential_theft.yml +++ b/detection-rules/impersonation_microsoft_credential_theft.yml @@ -4,12 +4,28 @@ type: "rule" severity: "high" source: | type.inbound - and length(attachments) == 0 + and ( + length(attachments) > 0 + and ( + all(attachments, .file_type in $file_types_images or .file_type == "pdf") + or length(attachments) == 0 + ) + ) and any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft") ) - and any(ml.nlu_classifier(body.current_thread.text).intents, - .name == "cred_theft" and .confidence in ("medium", "high") + and ( + any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "cred_theft" and .confidence in ("medium", "high") + ) + or ( + length(body.current_thread.text) == 0 + and any(file.explode(beta.message_screenshot()), + any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "cred_theft" and .confidence in ("medium", "high") + ) + ) + ) ) and ( not ( From 6e5c03587b966bb3de5392cb0e756865b24f6037 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 12 Nov 2024 17:58:40 -0500 Subject: [PATCH 2/2] Update impersonation_microsoft_credential_theft.yml --- .../impersonation_microsoft_credential_theft.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/detection-rules/impersonation_microsoft_credential_theft.yml b/detection-rules/impersonation_microsoft_credential_theft.yml index 67a4e682602..36f64134c9e 100644 --- a/detection-rules/impersonation_microsoft_credential_theft.yml +++ b/detection-rules/impersonation_microsoft_credential_theft.yml @@ -5,11 +5,13 @@ severity: "high" source: | type.inbound and ( - length(attachments) > 0 - and ( - all(attachments, .file_type in $file_types_images or .file_type == "pdf") - or length(attachments) == 0 + ( + length(attachments) > 0 + and all(attachments, + .file_type in $file_types_images or .file_type == "pdf" + ) ) + or length(attachments) == 0 ) and any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft")