From bbe84ae69f6c745efb3d53951beb2968592b6d11 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Tue, 17 Oct 2023 13:06:13 -0700 Subject: [PATCH 1/3] New rule: impersonation_quickbooks.yml --- detection-rules/impersonation_quickbooks.yml | 33 ++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 detection-rules/impersonation_quickbooks.yml diff --git a/detection-rules/impersonation_quickbooks.yml b/detection-rules/impersonation_quickbooks.yml new file mode 100644 index 00000000000..f1fb01bf702 --- /dev/null +++ b/detection-rules/impersonation_quickbooks.yml @@ -0,0 +1,33 @@ +name: "Brand impersonation: Quickbooks" +description: "Impersonation of the Quickbooks service from Intuit." +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + ( + strings.ilike(sender.display_name, '*quickbooks*') + or strings.ilevenshtein(sender.display_name, 'quickbooks') <= 1 + or strings.ilike(sender.email.domain.domain, '*quickbooks*') + ) + or strings.ilike(body.current_thread.text, "*invoice*") + ) + and any(ml.logo_detect(beta.message_screenshot()).brands, + .name == "Quickbooks" and .confidence in ("medium", "high") + ) + and sender.email.domain.root_domain not in~ ('intuit.com', 'turbotax.com', 'intuit.ca') + and ( + not profile.by_sender().any_false_positives + and not profile.by_sender().solicited + ) +attack_types: + - "Callback Phishing" + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "Content analysis" + - "Header analysis" + - "Sender analysis" From 21e1804ace0576c2bdd5f1da208caecf6365c664 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Tue, 17 Oct 2023 20:10:06 +0000 Subject: [PATCH 2/3] Auto add rule ID --- detection-rules/impersonation_quickbooks.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/impersonation_quickbooks.yml b/detection-rules/impersonation_quickbooks.yml index f1fb01bf702..9e004f6837a 100644 --- a/detection-rules/impersonation_quickbooks.yml +++ b/detection-rules/impersonation_quickbooks.yml @@ -31,3 +31,4 @@ detection_methods: - "Content analysis" - "Header analysis" - "Sender analysis" +id: "4fd791d1-a053-5c2d-80dd-c6dcdc112a62" From d2f5a44dcf780f098038731ae6495d1531eff8c7 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Fri, 3 Nov 2023 12:40:43 -0700 Subject: [PATCH 3/3] Update impersonation_quickbooks.yml --- detection-rules/impersonation_quickbooks.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/detection-rules/impersonation_quickbooks.yml b/detection-rules/impersonation_quickbooks.yml index 9e004f6837a..af5b20fac49 100644 --- a/detection-rules/impersonation_quickbooks.yml +++ b/detection-rules/impersonation_quickbooks.yml @@ -20,6 +20,20 @@ source: | not profile.by_sender().any_false_positives and not profile.by_sender().solicited ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) attack_types: - "Callback Phishing" - "Credential Phishing"