Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FP fix: Update link_microsoft_low_reputation.yml #791

Merged
merged 4 commits into from
Sep 20, 2023
Merged

FP fix: Update link_microsoft_low_reputation.yml #791

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
de85830
FP fix: Update link_microsoft_low_reputation.yml
morriscode Sep 13, 2023
7e437eb
Merge branch 'main' into sam.ms.lowrep
morriscode Sep 18, 2023
3344312
Update link_microsoft_low_reputation.yml
morriscode Sep 18, 2023
a91db11
Merge branch 'main' into sam.ms.lowrep
jkamdjou Sep 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
253 changes: 129 additions & 124 deletions detection-rules/link_microsoft_low_reputation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,134 +3,139 @@ description: "Detects low reputation links with Microsoft specific indicators in
type: "rule"
severity: "medium"
source: |
type.inbound
// suspicious link
and any(body.links,
(
.href_url.domain.root_domain not in $tranco_1m
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.domain in $url_shorteners
or

// mass mailer link, masks the actual URL
.href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net")

// Google AMP redirect
or (
.href_url.domain.sld == "google"
and strings.starts_with(.href_url.path, "/amp/")
)
)

// exclude sources of potential FPs
and .href_url.domain.root_domain not in (
"svc.ms",
"sharepoint.com",
"1drv.ms",
"microsoft.com"
)
)

// not a reply
and (
length(headers.references) == 0
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)

// Microsoft logo
and (
any(attachments,
.file_type in $file_types_images
and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
)
or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft"))
)

// suspicious content
and (
(
strings.ilike(body.plain.raw,
"*password*",
"*document*",
"*voicemail*",
"*cache*",
"*fax*",
"*storage*",
"*quota*",
"*messages*"
)
and strings.ilike(body.plain.raw,
"*terminated*",
"*review*",
"*expire*",
"*click*",
"*view*",
"*exceed*",
"*clear*",
"*only works*",
"*failed*",
"*deleted*"
)
)
or (
any(attachments,
type.inbound
// suspicious link
and any(body.links,
(
.href_url.domain.root_domain not in $tranco_1m
or .href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.domain in $url_shorteners
or

// mass mailer link, masks the actual URL
.href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net")

// Google AMP redirect
or (.href_url.domain.sld == "google" and strings.starts_with(.href_url.path, "/amp/"))
)

// exclude sources of potential FPs
and (
.href_url.domain.root_domain not in (
"svc.ms",
"sharepoint.com",
"1drv.ms",
"microsoft.com",
"aka.ms",
"msftauthimages.net"
)
or any(body.links, .href_url.domain.domain in $free_file_hosts)
)
)

// not a reply
and (
length(headers.references) == 0
or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)

// Microsoft logo
and (
any(attachments,
.file_type in $file_types_images
and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
)
or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft"))
)

// suspicious content
and (
(
strings.ilike(body.plain.raw,
"*password*",
"*document*",
"*voicemail*",
"*cache*",
"*fax*",
"*storage*",
"*quota*",
"*messages*"
)
and strings.ilike(body.plain.raw,
"*terminated*",
"*review*",
"*expire*",
"*click*",
"*view*",
"*exceed*",
"*clear*",
"*only works*",
"*failed*",
"*deleted*"
)
)
or (
any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
strings.ilike(.scan.ocr.raw,
"*password*",
"*document*",
"*voicemail*",
"*cache*",
"*fax*",
"*storage*",
"*quota*",
"*messages*"
)
and strings.ilike(.scan.ocr.raw,
"*terminated*",
"*review*",
"*expire*",
"*click*",
"*view*",
"*exceed*",
"*clear*",
"*only works*",
"*failed*",
"*deleted*"
)
)
)
)
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in~ ("medium", "high")
)
or any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
strings.ilike(.scan.ocr.raw,
"*password*",
"*document*",
"*voicemail*",
"*cache*",
"*fax*",
"*storage*",
"*quota*",
"*messages*"
)
and strings.ilike(.scan.ocr.raw,
"*terminated*",
"*review*",
"*expire*",
"*click*",
"*view*",
"*exceed*",
"*clear*",
"*only works*",
"*failed*",
"*deleted*"
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)
)
)
)
and (
any(ml.nlu_classifier(body.html.inner_text).intents,
.name == "cred_theft" and .confidence in~ ("medium", "high")
)
or any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft")
)
)
or (
any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency")
and not any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
)
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com"
)
)
or (
any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency")
and not any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
)
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com"
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down
Loading