From a26cea98aebc116bf343ac49892e34cc1349d1c4 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 21 Aug 2023 11:26:22 -0400 Subject: [PATCH 1/3] New Rule: X (Twitter) Impersonation with Credential Phishing motives --- .../impersonation_x_with_credphish_nlu.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 detection-rules/impersonation_x_with_credphish_nlu.yml diff --git a/detection-rules/impersonation_x_with_credphish_nlu.yml b/detection-rules/impersonation_x_with_credphish_nlu.yml new file mode 100644 index 00000000000..5ced9507ee4 --- /dev/null +++ b/detection-rules/impersonation_x_with_credphish_nlu.yml @@ -0,0 +1,26 @@ +name: "X (Twitter) Impersonation with Credential Phishing motives" +description: | + This rule is designed to identify impersonation attempts by analyzing the display name or sender's local part for the solitary use of "X," provided the email doesn't originate from twitter.com or x.com. If image attachments are present, our Natural Language Understanding (NLU) engine scans for markers indicative of credential theft. In the absence of attachments, the email body undergoes NLU analysis, both requiring a medium-to-high confidence level for flagging. +references: + +type: "rule" +severity: "medium" +source: | + type.inbound + and (sender.display_name =~ "x" or sender.email.local_part =~ "x") + and sender.email.domain.root_domain not in ("twitter.com", "x.com") + and ( + any(attachments, + .file_type in~ $file_types_images + and any(file.explode(.), + any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "cred_theft" and .confidence != "low" + ) + ) + ) + or any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "cred_theft" and .confidence != "low" + ) + ) +tags: + \ No newline at end of file From 7594077cabec4ac02944eb263a22deeadc7b3509 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 21 Aug 2023 11:29:42 -0400 Subject: [PATCH 2/3] Update impersonation_x_with_credphish_nlu.yml --- .../impersonation_x_with_credphish_nlu.yml | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/detection-rules/impersonation_x_with_credphish_nlu.yml b/detection-rules/impersonation_x_with_credphish_nlu.yml index 5ced9507ee4..48436156ddb 100644 --- a/detection-rules/impersonation_x_with_credphish_nlu.yml +++ b/detection-rules/impersonation_x_with_credphish_nlu.yml @@ -1,8 +1,8 @@ name: "X (Twitter) Impersonation with Credential Phishing motives" description: | - This rule is designed to identify impersonation attempts by analyzing the display name or sender's local part for the solitary use of "X," provided the email doesn't originate from twitter.com or x.com. If image attachments are present, our Natural Language Understanding (NLU) engine scans for markers indicative of credential theft. In the absence of attachments, the email body undergoes NLU analysis, both requiring a medium-to-high confidence level for flagging. -references: - + This rule is designed to identify impersonation attempts by analyzing the display name or sender's + local part for the solitary use of "X" provided the email doesn't originate from twitter.com or x.com. + Natural Language Understanding (NLU) is used to check for credential theft requiring a medium-to-high confidence level for flagging. type: "rule" severity: "medium" source: | @@ -22,5 +22,15 @@ source: | .name == "cred_theft" and .confidence != "low" ) ) -tags: - \ No newline at end of file +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "File analysis" + - "Header analysis" + - "Optical Character Recognition" + - "Natural Language Understanding" + - "Sender analysis" From 0ef157e3082e2c5d706bf654db8c76955d683f03 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Mon, 21 Aug 2023 15:31:42 +0000 Subject: [PATCH 3/3] Auto add rule ID --- detection-rules/impersonation_x_with_credphish_nlu.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/impersonation_x_with_credphish_nlu.yml b/detection-rules/impersonation_x_with_credphish_nlu.yml index 48436156ddb..19912e3521a 100644 --- a/detection-rules/impersonation_x_with_credphish_nlu.yml +++ b/detection-rules/impersonation_x_with_credphish_nlu.yml @@ -34,3 +34,4 @@ detection_methods: - "Optical Character Recognition" - "Natural Language Understanding" - "Sender analysis" +id: "0b60dca6-db2d-5718-94d8-fdbfd06bd081"