From de858302b2ede702b97c5e444a9fc04e2fca55f8 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 13 Sep 2023 18:33:17 -0400 Subject: [PATCH 1/2] FP fix: Update link_microsoft_low_reputation.yml Adding more MS domain to linked domains, and requiring cred_theft of med/high confidence. Was firing on cred_theft low, on images with only a single word "Microsoft" --- .../link_microsoft_low_reputation.yml | 39 ++++++++++--------- 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml index 3579bb944e5..ae11766b03a 100644 --- a/detection-rules/link_microsoft_low_reputation.yml +++ b/detection-rules/link_microsoft_low_reputation.yml @@ -3,7 +3,7 @@ description: "Detects low reputation links with Microsoft specific indicators in type: "rule" severity: "medium" source: | - type.inbound + type.inbound // suspicious link and any(body.links, ( @@ -12,32 +12,34 @@ source: | or .href_url.domain.root_domain in $free_subdomain_hosts or .href_url.domain.domain in $url_shorteners or - + // mass mailer link, masks the actual URL .href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net") - + // Google AMP redirect - or ( - .href_url.domain.sld == "google" - and strings.starts_with(.href_url.path, "/amp/") - ) + or (.href_url.domain.sld == "google" and strings.starts_with(.href_url.path, "/amp/")) ) - + // exclude sources of potential FPs - and .href_url.domain.root_domain not in ( - "svc.ms", - "sharepoint.com", - "1drv.ms", - "microsoft.com" + and ( + .href_url.domain.root_domain not in ( + "svc.ms", + "sharepoint.com", + "1drv.ms", + "microsoft.com", + "aka.ms", + "msftauthimages.net" + ) + or .href_url.domain.root_domain not in $org_domains ) ) - + // not a reply and ( length(headers.references) == 0 or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) ) - + // Microsoft logo and ( any(attachments, @@ -46,7 +48,7 @@ source: | ) or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft")) ) - + // suspicious content and ( ( @@ -104,13 +106,13 @@ source: | ) ) and ( - any(ml.nlu_classifier(body.html.inner_text).intents, + any(ml.nlu_classifier(body.current_thread.text).intents, .name == "cred_theft" and .confidence in~ ("medium", "high") ) or any(attachments, .file_type in $file_types_images and any(file.explode(.), - any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft") + any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft" and .confidence in ("medium", "high")) ) ) or ( @@ -131,6 +133,7 @@ source: | "sharepointonline.com", "yammer.com" ) + attack_types: - "Credential Phishing" tactics_and_techniques: From 3344312cbc675b8f6fb9e5dd2746107be0fc2658 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 18 Sep 2023 13:13:30 -0400 Subject: [PATCH 2/2] Update link_microsoft_low_reputation.yml --- .../link_microsoft_low_reputation.yml | 252 +++++++++--------- 1 file changed, 127 insertions(+), 125 deletions(-) diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml index ae11766b03a..5e467937174 100644 --- a/detection-rules/link_microsoft_low_reputation.yml +++ b/detection-rules/link_microsoft_low_reputation.yml @@ -4,135 +4,137 @@ type: "rule" severity: "medium" source: | type.inbound - // suspicious link - and any(body.links, - ( - .href_url.domain.root_domain not in $tranco_1m - or .href_url.domain.domain in $free_file_hosts - or .href_url.domain.root_domain in $free_subdomain_hosts - or .href_url.domain.domain in $url_shorteners - or - - // mass mailer link, masks the actual URL - .href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net") - - // Google AMP redirect - or (.href_url.domain.sld == "google" and strings.starts_with(.href_url.path, "/amp/")) - ) - - // exclude sources of potential FPs - and ( - .href_url.domain.root_domain not in ( - "svc.ms", - "sharepoint.com", - "1drv.ms", - "microsoft.com", - "aka.ms", - "msftauthimages.net" - ) - or .href_url.domain.root_domain not in $org_domains - ) - ) - - // not a reply - and ( - length(headers.references) == 0 - or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) - ) - - // Microsoft logo - and ( - any(attachments, - .file_type in $file_types_images - and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft")) - ) - or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft")) - ) - - // suspicious content - and ( - ( - strings.ilike(body.plain.raw, - "*password*", - "*document*", - "*voicemail*", - "*cache*", - "*fax*", - "*storage*", - "*quota*", - "*messages*" - ) - and strings.ilike(body.plain.raw, - "*terminated*", - "*review*", - "*expire*", - "*click*", - "*view*", - "*exceed*", - "*clear*", - "*only works*", - "*failed*", - "*deleted*" - ) - ) - or ( - any(attachments, + // suspicious link + and any(body.links, + ( + .href_url.domain.root_domain not in $tranco_1m + or .href_url.domain.domain in $free_file_hosts + or .href_url.domain.root_domain in $free_subdomain_hosts + or .href_url.domain.domain in $url_shorteners + or + + // mass mailer link, masks the actual URL + .href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net") + + // Google AMP redirect + or (.href_url.domain.sld == "google" and strings.starts_with(.href_url.path, "/amp/")) + ) + + // exclude sources of potential FPs + and ( + .href_url.domain.root_domain not in ( + "svc.ms", + "sharepoint.com", + "1drv.ms", + "microsoft.com", + "aka.ms", + "msftauthimages.net" + ) + or any(body.links, .href_url.domain.domain in $free_file_hosts) + ) + ) + + // not a reply + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) + + // Microsoft logo + and ( + any(attachments, + .file_type in $file_types_images + and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft")) + ) + or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft")) + ) + + // suspicious content + and ( + ( + strings.ilike(body.plain.raw, + "*password*", + "*document*", + "*voicemail*", + "*cache*", + "*fax*", + "*storage*", + "*quota*", + "*messages*" + ) + and strings.ilike(body.plain.raw, + "*terminated*", + "*review*", + "*expire*", + "*click*", + "*view*", + "*exceed*", + "*clear*", + "*only works*", + "*failed*", + "*deleted*" + ) + ) + or ( + any(attachments, + .file_type in $file_types_images + and any(file.explode(.), + strings.ilike(.scan.ocr.raw, + "*password*", + "*document*", + "*voicemail*", + "*cache*", + "*fax*", + "*storage*", + "*quota*", + "*messages*" + ) + and strings.ilike(.scan.ocr.raw, + "*terminated*", + "*review*", + "*expire*", + "*click*", + "*view*", + "*exceed*", + "*clear*", + "*only works*", + "*failed*", + "*deleted*" + ) + ) + ) + ) + ) + and ( + any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "cred_theft" and .confidence in~ ("medium", "high") + ) + or any(attachments, .file_type in $file_types_images and any(file.explode(.), - strings.ilike(.scan.ocr.raw, - "*password*", - "*document*", - "*voicemail*", - "*cache*", - "*fax*", - "*storage*", - "*quota*", - "*messages*" - ) - and strings.ilike(.scan.ocr.raw, - "*terminated*", - "*review*", - "*expire*", - "*click*", - "*view*", - "*exceed*", - "*clear*", - "*only works*", - "*failed*", - "*deleted*" + any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "cred_theft" and .confidence in ("medium", "high") ) ) - ) - ) - ) - and ( - any(ml.nlu_classifier(body.current_thread.text).intents, - .name == "cred_theft" and .confidence in~ ("medium", "high") - ) - or any(attachments, - .file_type in $file_types_images - and any(file.explode(.), - any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft" and .confidence in ("medium", "high")) - ) - ) - or ( - any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency") - and not any(ml.nlu_classifier(body.current_thread.text).intents, - .name == "benign" and .confidence == "high" - ) - ) - ) - and sender.email.domain.root_domain not in ( - "bing.com", - "microsoft.com", - "microsoftonline.com", - "microsoftsupport.com", - "microsoft365.com", - "office.com", - "onedrive.com", - "sharepointonline.com", - "yammer.com" - ) + ) + or ( + any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency") + and not any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "benign" and .confidence == "high" + ) + ) + ) + and sender.email.domain.root_domain not in ( + "bing.com", + "microsoft.com", + "microsoftonline.com", + "microsoftsupport.com", + "microsoft365.com", + "office.com", + "onedrive.com", + "sharepointonline.com", + "yammer.com" + ) attack_types: - "Credential Phishing"