Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update headers_DL_unsolicited.yml #2428

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

update headers_DL_unsolicited.yml #2428

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
16a69bb
consider free_mail status of recipients when evaluating previous comms
zoomequipd Feb 24, 2025
d03f470
add logic to address FNs due to missing SRS return path
zoomequipd Feb 24, 2025
589107a
Merge branch 'main' into zoomequipd-patch-11
zoomequipd Feb 24, 2025
eff4124
Update headers_DL_unsolicited.yml
zoomequipd Feb 24, 2025
4da0f3b
Update headers_DL_unsolicited.yml
zoomequipd Feb 25, 2025
e9dd45b
Merge branch 'main' into zoomequipd-patch-11
zoomequipd Feb 25, 2025
7282496
remove cc requirement and ditch `received.mailbox.raw` logic
zoomequipd Feb 26, 2025
be80b1a
Merge branch 'main' into zoomequipd-patch-11
zoomequipd Feb 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 25 additions & 4 deletions detection-rules/headers_DL_unsolicited.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ severity: "medium"
source: |
type.inbound
and length(recipients.to) == 1
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
// abuse involves a popular service
and sender.email.domain.root_domain in $majestic_million
Expand All @@ -16,8 +15,18 @@ source: |
and not any(recipients.to, .email.email =~ sender.email.email)

// uses Sender Rewrite Scheme indicating the message traversed a distribtion list or other automatic relay
and strings.icontains(headers.return_path.local_part, "+SRS=")

and (
strings.icontains(headers.return_path.local_part, "+SRS=")
// when the receipient is a group controlled by the final recipient
// the return_path header can be overwritten
// check the SPF designator for evidence of SRS
or strings.icontains(headers.auth_summary.spf.details.designator, "+SRS=")
or any(headers.hops,
strings.icontains(.authentication_results.spf_details.designator,
'+SRS='
)
)
)
// the sender and recipient is not in $org_domains
and sender.email.domain.domain not in $org_domains
// the recipient has never sent an email to the org
Expand All @@ -26,11 +35,23 @@ source: |
// ensure the recipient domain has never send/received an email to/from the org
and (
(
.email.domain.domain not in $sender_domains
// use the domain only if the sender domain is not within free_email_providers
.email.domain.domain not in $free_email_providers
and .email.domain.root_domain not in $free_email_providers
and .email.domain.domain not in $sender_domains
and .email.domain.root_domain not in $sender_domains
and .email.domain.domain not in $recipient_domains
and .email.domain.root_domain not in $recipient_domains
)
or (
// use the email address the sender domain is within free_email_providers
(
.email.domain.domain in $free_email_providers
or .email.domain.root_domain in $free_email_providers
)
and .email.email not in $sender_emails
and .email.email not in $recipient_emails
)
or (
.email.domain.root_domain in ("onmicrosoft.com")
// negate onmicrosoft domains within org_domains
Expand Down
Loading