From 5e96751acf60414451469b59ad6f18265b94b9fc Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 22 Sep 2023 20:21:35 -0400 Subject: [PATCH 1/7] New Rule: QR Simplified --- ...tachment_qr_code_suspicious_indicators.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 detection-rules/attachment_qr_code_suspicious_indicators.yml diff --git a/detection-rules/attachment_qr_code_suspicious_indicators.yml b/detection-rules/attachment_qr_code_suspicious_indicators.yml new file mode 100644 index 00000000000..16c7e8d127d --- /dev/null +++ b/detection-rules/attachment_qr_code_suspicious_indicators.yml @@ -0,0 +1,22 @@ +name: "QR Simplified" +description: | + +references: + +type: "rule" +severity: "high" +source: | + type.inbound + and 0 < length(attachments) < 3 + and not sender.email.domain.root_domain in $org_display_names + and ( + any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld)) + or any(recipients.to, strings.icontains(body.current_thread.text, .email.local_part)) + or length(body.current_thread.text) is null + or body.current_thread.text == "" + ) + and any(attachments, + .file_type in $file_types_images and (any(file.explode(.), .scan.qr.type == "url")) + ) +tags: + - "Potential Rule - Sam" \ No newline at end of file From e07fcf70e11c45dacec1ad2547da7c3532a60641 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 22 Sep 2023 20:26:31 -0400 Subject: [PATCH 2/7] Update attachment_qr_code_suspicious_indicators.yml --- ...tachment_qr_code_suspicious_indicators.yml | 33 +++++++++++++++---- 1 file changed, 26 insertions(+), 7 deletions(-) diff --git a/detection-rules/attachment_qr_code_suspicious_indicators.yml b/detection-rules/attachment_qr_code_suspicious_indicators.yml index 16c7e8d127d..e5392bbfea4 100644 --- a/detection-rules/attachment_qr_code_suspicious_indicators.yml +++ b/detection-rules/attachment_qr_code_suspicious_indicators.yml @@ -1,13 +1,11 @@ -name: "QR Simplified" +name: "Attachment: QR Code with suspicious indicators description: | - -references: - + This rule detects a QR code in messages with 3 or less attachments where the senders display name contains the recipients SLD (Single Level Domain), or the recipients email is found in the body, or the entire body is null/empty. type: "rule" severity: "high" source: | type.inbound - and 0 < length(attachments) < 3 + and 0 < length(attachments) <= 3 and not sender.email.domain.root_domain in $org_display_names and ( any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld)) @@ -18,5 +16,26 @@ source: | and any(attachments, .file_type in $file_types_images and (any(file.explode(.), .scan.qr.type == "url")) ) -tags: - - "Potential Rule - Sam" \ No newline at end of file + + // sender profile is new or outlier + and ( + profile.by_sender().prevalence in ("new", "outlier") + or ( + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives + ) + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "QR code" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Computer Vision" + - "Natural Language Understanding" + - "QR code analysis" + - "Sender analysis" + - "URL analysis" From 6293d7957f00a5fbf9a0e8e39bc6b215bfc1eb1e Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 22 Sep 2023 20:35:13 -0400 Subject: [PATCH 3/7] Update attachment_qr_code_suspicious_indicators.yml --- .../attachment_qr_code_suspicious_indicators.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/detection-rules/attachment_qr_code_suspicious_indicators.yml b/detection-rules/attachment_qr_code_suspicious_indicators.yml index e5392bbfea4..73ec47a7d1e 100644 --- a/detection-rules/attachment_qr_code_suspicious_indicators.yml +++ b/detection-rules/attachment_qr_code_suspicious_indicators.yml @@ -1,6 +1,7 @@ -name: "Attachment: QR Code with suspicious indicators +name: "Attachment: QR Code with suspicious indicators" description: | - This rule detects a QR code in messages with 3 or less attachments where the senders display name contains the recipients SLD (Single Level Domain), or the recipients email is found in the body, or the entire body is null/empty. + This rule detects a QR code in messages with 3 or less attachments where the senders display name contains the recipients SLD (Single Level Domain) + or the recipients email is found in the body, or the entire body is null/empty. type: "rule" severity: "high" source: | @@ -25,7 +26,6 @@ source: | and not profile.by_sender().any_false_positives ) ) - attack_types: - "Credential Phishing" tactics_and_techniques: From 5d807f7297a027790fb4af05268f996718df7a0c Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 22 Sep 2023 20:44:04 -0400 Subject: [PATCH 4/7] Update attachment_qr_code_suspicious_indicators.yml --- detection-rules/attachment_qr_code_suspicious_indicators.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/detection-rules/attachment_qr_code_suspicious_indicators.yml b/detection-rules/attachment_qr_code_suspicious_indicators.yml index 73ec47a7d1e..6a86e3642ea 100644 --- a/detection-rules/attachment_qr_code_suspicious_indicators.yml +++ b/detection-rules/attachment_qr_code_suspicious_indicators.yml @@ -17,8 +17,7 @@ source: | and any(attachments, .file_type in $file_types_images and (any(file.explode(.), .scan.qr.type == "url")) ) - - // sender profile is new or outlier + // sender profile is new or outlier and ( profile.by_sender().prevalence in ("new", "outlier") or ( From 6399a54ee0c196cf53e1ad2db5e9f236948f86c4 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Sat, 23 Sep 2023 00:47:22 +0000 Subject: [PATCH 5/7] Auto add rule ID --- detection-rules/attachment_qr_code_suspicious_indicators.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/attachment_qr_code_suspicious_indicators.yml b/detection-rules/attachment_qr_code_suspicious_indicators.yml index 6a86e3642ea..3093d5328c2 100644 --- a/detection-rules/attachment_qr_code_suspicious_indicators.yml +++ b/detection-rules/attachment_qr_code_suspicious_indicators.yml @@ -38,3 +38,4 @@ detection_methods: - "QR code analysis" - "Sender analysis" - "URL analysis" +id: "04f5c34f-6518-512d-916c-4c2c2827c6a9" From 640435d74d9b2618fd28b39789406b5c7375d014 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Sat, 23 Sep 2023 13:06:00 -0400 Subject: [PATCH 6/7] Update and rename attachment_qr_code_suspicious_indicators.yml to qr_code_suspicious_indicators.yml Revising rule to incorporate message screenshot --- ...tachment_qr_code_suspicious_indicators.yml | 41 -------------- .../qr_code_suspicious_indicators.yml | 56 +++++++++++++++++++ 2 files changed, 56 insertions(+), 41 deletions(-) delete mode 100644 detection-rules/attachment_qr_code_suspicious_indicators.yml create mode 100644 detection-rules/qr_code_suspicious_indicators.yml diff --git a/detection-rules/attachment_qr_code_suspicious_indicators.yml b/detection-rules/attachment_qr_code_suspicious_indicators.yml deleted file mode 100644 index 3093d5328c2..00000000000 --- a/detection-rules/attachment_qr_code_suspicious_indicators.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: "Attachment: QR Code with suspicious indicators" -description: | - This rule detects a QR code in messages with 3 or less attachments where the senders display name contains the recipients SLD (Single Level Domain) - or the recipients email is found in the body, or the entire body is null/empty. -type: "rule" -severity: "high" -source: | - type.inbound - and 0 < length(attachments) <= 3 - and not sender.email.domain.root_domain in $org_display_names - and ( - any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld)) - or any(recipients.to, strings.icontains(body.current_thread.text, .email.local_part)) - or length(body.current_thread.text) is null - or body.current_thread.text == "" - ) - and any(attachments, - .file_type in $file_types_images and (any(file.explode(.), .scan.qr.type == "url")) - ) - // sender profile is new or outlier - and ( - profile.by_sender().prevalence in ("new", "outlier") - or ( - profile.by_sender().any_malicious_messages - and not profile.by_sender().any_false_positives - ) - ) -attack_types: - - "Credential Phishing" -tactics_and_techniques: - - "QR code" - - "Social engineering" -detection_methods: - - "Content analysis" - - "Header analysis" - - "Computer Vision" - - "Natural Language Understanding" - - "QR code analysis" - - "Sender analysis" - - "URL analysis" -id: "04f5c34f-6518-512d-916c-4c2c2827c6a9" diff --git a/detection-rules/qr_code_suspicious_indicators.yml b/detection-rules/qr_code_suspicious_indicators.yml new file mode 100644 index 00000000000..69cab396351 --- /dev/null +++ b/detection-rules/qr_code_suspicious_indicators.yml @@ -0,0 +1,56 @@ +name: "QR Code with suspicious indicators" +description: | + This rule flags messages with QR codes in attachments when there are three or fewer attachments. If no attachments are present, the rule captures a screenshot of the message for analysis. Additional triggers include: sender's name containing the recipient's SLD, recipient's email mentioned in the body, an empty message body, a suspicious subject, or undisclosed recipients. +type: "rule" +severity: "high" +source: | + type.inbound + and ( + length(attachments) <= 3 + and ( + any(attachments, + .file_type in $file_types_images and (any(file.explode(.), .scan.qr.type == "url")) + ) + or ( + length(attachments) == 0 + and any(file.explode(beta.message_screenshot()), .scan.qr.type == "url") + ) + ) + and not sender.email.domain.root_domain in $org_display_names + and ( + any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld)) + or any(recipients.to, strings.icontains(body.current_thread.text, .email.local_part)) + or length(body.current_thread.text) is null + or body.current_thread.text == "" + or regex.contains(subject.subject, + "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)" + ) + or (any(recipients.to, strings.icontains(subject.subject, .display_name))) + or ( + (length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients")) + and length(recipients.cc) == 0 + and length(recipients.bcc) == 0 + ) + ) + ) + + // sender profile is new or outlier + and ( + profile.by_sender().prevalence in ("new", "outlier") + or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "QR code" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Computer Vision" + - "Natural Language Understanding" + - "QR code analysis" + - "Sender analysis" + - "URL analysis" +id: "04f5c34f-6518-512d-916c-4c2c2827c6a9" From f7b3267ec6d7efd7add4cdca524a953a5f2e889f Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 26 Sep 2023 18:01:40 -0400 Subject: [PATCH 7/7] Update qr_code_suspicious_indicators.yml --- detection-rules/qr_code_suspicious_indicators.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/detection-rules/qr_code_suspicious_indicators.yml b/detection-rules/qr_code_suspicious_indicators.yml index 69cab396351..b929c268a99 100644 --- a/detection-rules/qr_code_suspicious_indicators.yml +++ b/detection-rules/qr_code_suspicious_indicators.yml @@ -37,7 +37,10 @@ source: | // sender profile is new or outlier and ( profile.by_sender().prevalence in ("new", "outlier") - or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives) + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) ) attack_types: