From b51f30db5557102adf7d60686dd728234fb7598f Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 25 Oct 2023 09:45:05 -0400 Subject: [PATCH 1/4] Initial batch of $high_trust_sender negations --- .../attachment_any_html_new_sender.yml | 15 +++++++++++++++ .../attachment_any_html_unsolicited.yml | 14 ++++++++++++++ .../body_business_email_compromise_new_sender.yml | 15 +++++++++++++++ .../callback_phishing_nlu_body_or_attachments.yml | 15 +++++++++++++++ detection-rules/impersonation_amazon.yml | 15 +++++++++++++++ detection-rules/impersonation_amex.yml | 15 +++++++++++++++ detection-rules/impersonation_bank_of_america.yml | 15 +++++++++++++++ detection-rules/impersonation_chase.yml | 15 +++++++++++++++ detection-rules/impersonation_coinbase.yml | 14 ++++++++++++++ detection-rules/impersonation_dhl.yml | 15 +++++++++++++++ detection-rules/impersonation_dropbox.yml | 15 +++++++++++++++ .../impersonation_employee_urgent_request.yml | 15 +++++++++++++++ detection-rules/impersonation_human_resources.yml | 15 +++++++++++++++ detection-rules/impersonation_microsoft.yml | 14 ++++++++++++++ detection-rules/impersonation_paypal.yml | 15 +++++++++++++++ detection-rules/impersonation_spotify.yml | 15 +++++++++++++++ .../impersonation_sublime_security.yml | 14 ++++++++++++++ detection-rules/impersonation_ups.yml | 15 +++++++++++++++ detection-rules/impersonation_vanta.yml | 15 +++++++++++++++ detection-rules/impersonation_venmo.yml | 14 ++++++++++++++ .../impersonation_vip_urgent_request.yml | 14 ++++++++++++++ detection-rules/impersonation_wells_fargo.yml | 15 +++++++++++++++ detection-rules/link_credential_phishing.yml | 15 +++++++++++++++ detection-rules/link_microsoft_low_reputation.yml | 14 ++++++++++++++ .../link_qr_code_suspicious_language_fts.yml | 15 +++++++++++++++ detection-rules/qr_code_suspicious_indicators.yml | 14 ++++++++++++++ 26 files changed, 382 insertions(+) diff --git a/detection-rules/attachment_any_html_new_sender.yml b/detection-rules/attachment_any_html_new_sender.yml index 117804f24ce..cc95a145e08 100644 --- a/detection-rules/attachment_any_html_new_sender.yml +++ b/detection-rules/attachment_any_html_new_sender.yml @@ -18,6 +18,21 @@ source: | and not profile.by_sender().any_false_positives ) ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + tags: - "Attack surface reduction" tactics_and_techniques: diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml index 4b3daf7f348..37af6e750d0 100644 --- a/detection-rules/attachment_any_html_unsolicited.yml +++ b/detection-rules/attachment_any_html_unsolicited.yml @@ -15,6 +15,20 @@ source: | not profile.by_sender().any_false_positives and not profile.by_sender().solicited ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) tags: - "Attack surface reduction" tactics_and_techniques: diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml index ffec5179bee..52a4d81d134 100644 --- a/detection-rules/body_business_email_compromise_new_sender.yml +++ b/detection-rules/body_business_email_compromise_new_sender.yml @@ -28,6 +28,21 @@ source: | and not profile.by_sender().any_false_positives ) ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "BEC/Fraud" tactics_and_techniques: diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml index 6bb839e781f..54a4228244f 100644 --- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml +++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml @@ -37,6 +37,21 @@ source: | and not profile.by_sender().any_false_positives ) ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Callback Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index a3c4eb0f132..b3f79834832 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -58,6 +58,21 @@ source: | ) and sender.email.email not in $recipient_emails and sender.email.domain.domain not in $org_domains + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_amex.yml b/detection-rules/impersonation_amex.yml index 984e899216c..481ea759c7b 100644 --- a/detection-rules/impersonation_amex.yml +++ b/detection-rules/impersonation_amex.yml @@ -26,6 +26,21 @@ source: | ) and sender.email.domain.domain not in ('accountprotection.microsoft.com') and sender.email.email not in $recipient_emails + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_bank_of_america.yml b/detection-rules/impersonation_bank_of_america.yml index e901b0cb634..a772d48fc9b 100644 --- a/detection-rules/impersonation_bank_of_america.yml +++ b/detection-rules/impersonation_bank_of_america.yml @@ -14,6 +14,21 @@ source: | ) and sender.email.domain.root_domain not in~ ('bankofamerica.com', 'transunion.com', 'bofa.com') and sender.email.email not in $recipient_emails + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_chase.yml b/detection-rules/impersonation_chase.yml index 15a8108ef0b..7a9e07c49a3 100644 --- a/detection-rules/impersonation_chase.yml +++ b/detection-rules/impersonation_chase.yml @@ -30,6 +30,21 @@ source: | and not profile.by_sender().any_false_positives ) ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_coinbase.yml b/detection-rules/impersonation_coinbase.yml index 3b15e463925..a888bf684b5 100644 --- a/detection-rules/impersonation_coinbase.yml +++ b/detection-rules/impersonation_coinbase.yml @@ -28,6 +28,20 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) tags: - "Cryptocurrency" attack_types: diff --git a/detection-rules/impersonation_dhl.yml b/detection-rules/impersonation_dhl.yml index 99d9d08539b..8861db8178a 100644 --- a/detection-rules/impersonation_dhl.yml +++ b/detection-rules/impersonation_dhl.yml @@ -31,6 +31,21 @@ source: | and not profile.by_sender().any_false_positives ) ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_dropbox.yml b/detection-rules/impersonation_dropbox.yml index 20971fd3cc7..0c0b4afc611 100644 --- a/detection-rules/impersonation_dropbox.yml +++ b/detection-rules/impersonation_dropbox.yml @@ -16,6 +16,21 @@ source: | and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*dropbox*")) ) and sender.email.email not in $recipient_emails + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_employee_urgent_request.yml b/detection-rules/impersonation_employee_urgent_request.yml index e8d2abda54a..38463680be0 100644 --- a/detection-rules/impersonation_employee_urgent_request.yml +++ b/detection-rules/impersonation_employee_urgent_request.yml @@ -30,6 +30,21 @@ source: | and not profile.by_sender().any_false_positives ) ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "BEC/Fraud" tactics_and_techniques: diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml index e8516047bd2..c1ade3a3c17 100644 --- a/detection-rules/impersonation_human_resources.yml +++ b/detection-rules/impersonation_human_resources.yml @@ -24,6 +24,21 @@ source: | and not profile.by_sender().any_false_positives ) ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "BEC/Fraud" - "Credential Phishing" diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml index d67692062f6..86b56296eb5 100644 --- a/detection-rules/impersonation_microsoft.yml +++ b/detection-rules/impersonation_microsoft.yml @@ -50,6 +50,20 @@ source: | ) ) + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_paypal.yml b/detection-rules/impersonation_paypal.yml index dfb3d3f7e8e..f3bb336241b 100644 --- a/detection-rules/impersonation_paypal.yml +++ b/detection-rules/impersonation_paypal.yml @@ -59,6 +59,21 @@ source: | and not profile.by_sender().any_false_positives ) ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_spotify.yml b/detection-rules/impersonation_spotify.yml index c1fe24ce78d..b828479d40e 100644 --- a/detection-rules/impersonation_spotify.yml +++ b/detection-rules/impersonation_spotify.yml @@ -27,6 +27,21 @@ source: | and not profile.by_sender().any_false_positives ) ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_sublime_security.yml b/detection-rules/impersonation_sublime_security.yml index e69db5c1101..e65f9969246 100644 --- a/detection-rules/impersonation_sublime_security.yml +++ b/detection-rules/impersonation_sublime_security.yml @@ -19,6 +19,20 @@ source: | and not profile.by_sender().any_false_positives ) ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_ups.yml b/detection-rules/impersonation_ups.yml index f1c421ae669..2993029b71b 100644 --- a/detection-rules/impersonation_ups.yml +++ b/detection-rules/impersonation_ups.yml @@ -18,6 +18,21 @@ source: | ) and any(ml.logo_detect(beta.message_screenshot()).brands, .name is not null) and sender.email.email not in $recipient_emails + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_vanta.yml b/detection-rules/impersonation_vanta.yml index 6267a289c5e..b7623a474de 100644 --- a/detection-rules/impersonation_vanta.yml +++ b/detection-rules/impersonation_vanta.yml @@ -19,6 +19,21 @@ source: | ) and sender.email.domain.root_domain in $free_email_providers and sender.email.email not in $sender_emails + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_venmo.yml b/detection-rules/impersonation_venmo.yml index 513a75b1ec3..1d26f57863c 100644 --- a/detection-rules/impersonation_venmo.yml +++ b/detection-rules/impersonation_venmo.yml @@ -23,6 +23,20 @@ source: | ) and strings.contains(sender.display_name, "via") ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_vip_urgent_request.yml b/detection-rules/impersonation_vip_urgent_request.yml index 13f1a9ab7a9..633e9b90938 100644 --- a/detection-rules/impersonation_vip_urgent_request.yml +++ b/detection-rules/impersonation_vip_urgent_request.yml @@ -22,6 +22,20 @@ source: | and not profile.by_sender().any_false_positives ) ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) attack_types: - "BEC/Fraud" tactics_and_techniques: diff --git a/detection-rules/impersonation_wells_fargo.yml b/detection-rules/impersonation_wells_fargo.yml index 117f9f3fd7f..3d0101bf77e 100644 --- a/detection-rules/impersonation_wells_fargo.yml +++ b/detection-rules/impersonation_wells_fargo.yml @@ -27,6 +27,21 @@ source: | 'comcastspectacor.com' ) and sender.email.email not in $recipient_emails + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/link_credential_phishing.yml b/detection-rules/link_credential_phishing.yml index 08e9ef5f47e..beea92518c5 100644 --- a/detection-rules/link_credential_phishing.yml +++ b/detection-rules/link_credential_phishing.yml @@ -16,6 +16,21 @@ source: | and not profile.by_sender().any_false_positives ) ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml index 104b8c3d75a..921ddab41d4 100644 --- a/detection-rules/link_microsoft_low_reputation.yml +++ b/detection-rules/link_microsoft_low_reputation.yml @@ -137,6 +137,20 @@ source: | "yammer.com" ) + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml index 526c001c888..2df67dece12 100644 --- a/detection-rules/link_qr_code_suspicious_language_fts.yml +++ b/detection-rules/link_qr_code_suspicious_language_fts.yml @@ -51,6 +51,21 @@ source: | and not profile.by_sender().any_false_positives ) ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/qr_code_suspicious_indicators.yml b/detection-rules/qr_code_suspicious_indicators.yml index b929c268a99..63e8330f413 100644 --- a/detection-rules/qr_code_suspicious_indicators.yml +++ b/detection-rules/qr_code_suspicious_indicators.yml @@ -43,6 +43,20 @@ source: | ) ) + // negate highly trusted sender domains unless they fail DMARC authentication + and + ( + ( + sender.email.domain.root_domain in $high_trust_sender_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: From 9933548ea4d725778e09897f7e6794605c451bce Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 26 Oct 2023 16:59:19 -0400 Subject: [PATCH 2/4] Swapping name to match list update --- detection-rules/attachment_any_html_unsolicited.yml | 4 ++-- .../body_business_email_compromise_new_sender.yml | 6 +++--- .../callback_phishing_nlu_body_or_attachments.yml | 6 +++--- detection-rules/impersonation_amazon.yml | 6 +++--- detection-rules/impersonation_amex.yml | 6 +++--- detection-rules/impersonation_bank_of_america.yml | 6 +++--- detection-rules/impersonation_chase.yml | 6 +++--- detection-rules/impersonation_coinbase.yml | 6 +++--- detection-rules/impersonation_dhl.yml | 6 +++--- detection-rules/impersonation_dropbox.yml | 6 +++--- detection-rules/impersonation_employee_urgent_request.yml | 6 +++--- detection-rules/impersonation_human_resources.yml | 6 +++--- detection-rules/impersonation_microsoft.yml | 6 +++--- detection-rules/impersonation_paypal.yml | 6 +++--- detection-rules/impersonation_spotify.yml | 6 +++--- detection-rules/impersonation_sublime_security.yml | 4 ++-- detection-rules/impersonation_ups.yml | 6 +++--- detection-rules/impersonation_vanta.yml | 6 +++--- detection-rules/impersonation_venmo.yml | 6 +++--- detection-rules/impersonation_vip_urgent_request.yml | 4 ++-- detection-rules/impersonation_wells_fargo.yml | 6 +++--- detection-rules/link_credential_phishing.yml | 6 +++--- detection-rules/link_microsoft_low_reputation.yml | 4 ++-- detection-rules/link_qr_code_suspicious_language_fts.yml | 6 +++--- detection-rules/qr_code_suspicious_indicators.yml | 4 ++-- 25 files changed, 70 insertions(+), 70 deletions(-) diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml index 37af6e750d0..48c118ebf6f 100644 --- a/detection-rules/attachment_any_html_unsolicited.yml +++ b/detection-rules/attachment_any_html_unsolicited.yml @@ -20,14 +20,14 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) tags: - "Attack surface reduction" diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml index 52a4d81d134..af3b145c073 100644 --- a/detection-rules/body_business_email_compromise_new_sender.yml +++ b/detection-rules/body_business_email_compromise_new_sender.yml @@ -33,16 +33,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "BEC/Fraud" tactics_and_techniques: diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml index 28877532e08..976126c7348 100644 --- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml +++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml @@ -44,16 +44,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "Callback Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index b3f79834832..24bfa22f0ca 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -63,16 +63,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_amex.yml b/detection-rules/impersonation_amex.yml index 481ea759c7b..f358796348d 100644 --- a/detection-rules/impersonation_amex.yml +++ b/detection-rules/impersonation_amex.yml @@ -31,16 +31,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_bank_of_america.yml b/detection-rules/impersonation_bank_of_america.yml index a772d48fc9b..3aa68a79d4f 100644 --- a/detection-rules/impersonation_bank_of_america.yml +++ b/detection-rules/impersonation_bank_of_america.yml @@ -19,16 +19,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_chase.yml b/detection-rules/impersonation_chase.yml index 7a9e07c49a3..73145ed206a 100644 --- a/detection-rules/impersonation_chase.yml +++ b/detection-rules/impersonation_chase.yml @@ -35,16 +35,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_coinbase.yml b/detection-rules/impersonation_coinbase.yml index a888bf684b5..9cb1aed5dc1 100644 --- a/detection-rules/impersonation_coinbase.yml +++ b/detection-rules/impersonation_coinbase.yml @@ -28,19 +28,19 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) - + // negate highly trusted sender domains unless they fail DMARC authentication and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) tags: - "Cryptocurrency" diff --git a/detection-rules/impersonation_dhl.yml b/detection-rules/impersonation_dhl.yml index 8861db8178a..abb15727ede 100644 --- a/detection-rules/impersonation_dhl.yml +++ b/detection-rules/impersonation_dhl.yml @@ -36,16 +36,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_dropbox.yml b/detection-rules/impersonation_dropbox.yml index 0c0b4afc611..5bd552d3ca6 100644 --- a/detection-rules/impersonation_dropbox.yml +++ b/detection-rules/impersonation_dropbox.yml @@ -21,16 +21,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_employee_urgent_request.yml b/detection-rules/impersonation_employee_urgent_request.yml index 38463680be0..cfb2a2744aa 100644 --- a/detection-rules/impersonation_employee_urgent_request.yml +++ b/detection-rules/impersonation_employee_urgent_request.yml @@ -35,16 +35,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "BEC/Fraud" tactics_and_techniques: diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml index c1ade3a3c17..6677eda048f 100644 --- a/detection-rules/impersonation_human_resources.yml +++ b/detection-rules/impersonation_human_resources.yml @@ -29,16 +29,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "BEC/Fraud" - "Credential Phishing" diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml index 86b56296eb5..1222dd021a1 100644 --- a/detection-rules/impersonation_microsoft.yml +++ b/detection-rules/impersonation_microsoft.yml @@ -54,16 +54,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_paypal.yml b/detection-rules/impersonation_paypal.yml index f3bb336241b..2ce6cecde42 100644 --- a/detection-rules/impersonation_paypal.yml +++ b/detection-rules/impersonation_paypal.yml @@ -64,16 +64,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_spotify.yml b/detection-rules/impersonation_spotify.yml index b828479d40e..c258ec87972 100644 --- a/detection-rules/impersonation_spotify.yml +++ b/detection-rules/impersonation_spotify.yml @@ -32,16 +32,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_sublime_security.yml b/detection-rules/impersonation_sublime_security.yml index e65f9969246..a83f6fc2b68 100644 --- a/detection-rules/impersonation_sublime_security.yml +++ b/detection-rules/impersonation_sublime_security.yml @@ -24,14 +24,14 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_ups.yml b/detection-rules/impersonation_ups.yml index 2993029b71b..bd38a1f7a15 100644 --- a/detection-rules/impersonation_ups.yml +++ b/detection-rules/impersonation_ups.yml @@ -23,16 +23,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_vanta.yml b/detection-rules/impersonation_vanta.yml index b7623a474de..b2f819778be 100644 --- a/detection-rules/impersonation_vanta.yml +++ b/detection-rules/impersonation_vanta.yml @@ -24,16 +24,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_venmo.yml b/detection-rules/impersonation_venmo.yml index 1d26f57863c..4d7248b3af5 100644 --- a/detection-rules/impersonation_venmo.yml +++ b/detection-rules/impersonation_venmo.yml @@ -23,19 +23,19 @@ source: | ) and strings.contains(sender.display_name, "via") ) - + // negate highly trusted sender domains unless they fail DMARC authentication and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_vip_urgent_request.yml b/detection-rules/impersonation_vip_urgent_request.yml index 633e9b90938..f80878b81a0 100644 --- a/detection-rules/impersonation_vip_urgent_request.yml +++ b/detection-rules/impersonation_vip_urgent_request.yml @@ -27,14 +27,14 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) attack_types: - "BEC/Fraud" diff --git a/detection-rules/impersonation_wells_fargo.yml b/detection-rules/impersonation_wells_fargo.yml index 3d0101bf77e..7ca3a7b50c5 100644 --- a/detection-rules/impersonation_wells_fargo.yml +++ b/detection-rules/impersonation_wells_fargo.yml @@ -32,16 +32,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/link_credential_phishing.yml b/detection-rules/link_credential_phishing.yml index beea92518c5..e34aa693dae 100644 --- a/detection-rules/link_credential_phishing.yml +++ b/detection-rules/link_credential_phishing.yml @@ -21,16 +21,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml index 921ddab41d4..08bd17e23b5 100644 --- a/detection-rules/link_microsoft_low_reputation.yml +++ b/detection-rules/link_microsoft_low_reputation.yml @@ -141,14 +141,14 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml index 2df67dece12..e406d25a7c8 100644 --- a/detection-rules/link_qr_code_suspicious_language_fts.yml +++ b/detection-rules/link_qr_code_suspicious_language_fts.yml @@ -56,16 +56,16 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) - + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/qr_code_suspicious_indicators.yml b/detection-rules/qr_code_suspicious_indicators.yml index ce64f1f0ca2..166dd6edce3 100644 --- a/detection-rules/qr_code_suspicious_indicators.yml +++ b/detection-rules/qr_code_suspicious_indicators.yml @@ -46,14 +46,14 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in high_trust_sender_root_domains ) attack_types: From 48512d50e0627c62f5643ca3d55440205d940005 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 26 Oct 2023 17:01:04 -0400 Subject: [PATCH 3/4] Update attachment_any_html_new_sender.yml --- detection-rules/attachment_any_html_new_sender.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detection-rules/attachment_any_html_new_sender.yml b/detection-rules/attachment_any_html_new_sender.yml index cc95a145e08..a38f997871d 100644 --- a/detection-rules/attachment_any_html_new_sender.yml +++ b/detection-rules/attachment_any_html_new_sender.yml @@ -23,14 +23,14 @@ source: | and ( ( - sender.email.domain.root_domain in $high_trust_sender_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in $high_trust_sender_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) tags: From 141b21fc6e3e7b57506cb49cc8c92f9bba9adae8 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 26 Oct 2023 20:04:38 -0400 Subject: [PATCH 4/4] Adding missed $ --- detection-rules/attachment_any_html_unsolicited.yml | 4 ++-- detection-rules/body_business_email_compromise_new_sender.yml | 4 ++-- detection-rules/callback_phishing_nlu_body_or_attachments.yml | 4 ++-- detection-rules/impersonation_amazon.yml | 4 ++-- detection-rules/impersonation_amex.yml | 4 ++-- detection-rules/impersonation_bank_of_america.yml | 4 ++-- detection-rules/impersonation_chase.yml | 4 ++-- detection-rules/impersonation_coinbase.yml | 4 ++-- detection-rules/impersonation_dhl.yml | 4 ++-- detection-rules/impersonation_dropbox.yml | 4 ++-- detection-rules/impersonation_employee_urgent_request.yml | 4 ++-- detection-rules/impersonation_human_resources.yml | 4 ++-- detection-rules/impersonation_microsoft.yml | 4 ++-- detection-rules/impersonation_paypal.yml | 4 ++-- detection-rules/impersonation_spotify.yml | 4 ++-- detection-rules/impersonation_sublime_security.yml | 4 ++-- detection-rules/impersonation_ups.yml | 4 ++-- detection-rules/impersonation_vanta.yml | 4 ++-- detection-rules/impersonation_venmo.yml | 4 ++-- detection-rules/impersonation_vip_urgent_request.yml | 4 ++-- detection-rules/impersonation_wells_fargo.yml | 4 ++-- detection-rules/link_credential_phishing.yml | 4 ++-- detection-rules/link_microsoft_low_reputation.yml | 4 ++-- detection-rules/link_qr_code_suspicious_language_fts.yml | 4 ++-- detection-rules/qr_code_suspicious_indicators.yml | 4 ++-- 25 files changed, 50 insertions(+), 50 deletions(-) diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml index 48c118ebf6f..63930d5d697 100644 --- a/detection-rules/attachment_any_html_unsolicited.yml +++ b/detection-rules/attachment_any_html_unsolicited.yml @@ -20,14 +20,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) tags: - "Attack surface reduction" diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml index af3b145c073..2c611b22b9e 100644 --- a/detection-rules/body_business_email_compromise_new_sender.yml +++ b/detection-rules/body_business_email_compromise_new_sender.yml @@ -33,14 +33,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml index 976126c7348..3759b91daae 100644 --- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml +++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml @@ -44,14 +44,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index 24bfa22f0ca..fefefa60530 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -63,14 +63,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_amex.yml b/detection-rules/impersonation_amex.yml index f358796348d..2655b4dddd8 100644 --- a/detection-rules/impersonation_amex.yml +++ b/detection-rules/impersonation_amex.yml @@ -31,14 +31,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_bank_of_america.yml b/detection-rules/impersonation_bank_of_america.yml index 3aa68a79d4f..a2a1d56a231 100644 --- a/detection-rules/impersonation_bank_of_america.yml +++ b/detection-rules/impersonation_bank_of_america.yml @@ -19,14 +19,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_chase.yml b/detection-rules/impersonation_chase.yml index 73145ed206a..d42cdebe6c7 100644 --- a/detection-rules/impersonation_chase.yml +++ b/detection-rules/impersonation_chase.yml @@ -35,14 +35,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_coinbase.yml b/detection-rules/impersonation_coinbase.yml index 9cb1aed5dc1..da67b05fe84 100644 --- a/detection-rules/impersonation_coinbase.yml +++ b/detection-rules/impersonation_coinbase.yml @@ -33,14 +33,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) tags: - "Cryptocurrency" diff --git a/detection-rules/impersonation_dhl.yml b/detection-rules/impersonation_dhl.yml index abb15727ede..369bf556318 100644 --- a/detection-rules/impersonation_dhl.yml +++ b/detection-rules/impersonation_dhl.yml @@ -36,14 +36,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_dropbox.yml b/detection-rules/impersonation_dropbox.yml index 5bd552d3ca6..394faee4bbb 100644 --- a/detection-rules/impersonation_dropbox.yml +++ b/detection-rules/impersonation_dropbox.yml @@ -21,14 +21,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_employee_urgent_request.yml b/detection-rules/impersonation_employee_urgent_request.yml index cfb2a2744aa..d79b3301a55 100644 --- a/detection-rules/impersonation_employee_urgent_request.yml +++ b/detection-rules/impersonation_employee_urgent_request.yml @@ -35,14 +35,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml index 6677eda048f..dde8c198b23 100644 --- a/detection-rules/impersonation_human_resources.yml +++ b/detection-rules/impersonation_human_resources.yml @@ -29,14 +29,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml index 1222dd021a1..2eb31286c2a 100644 --- a/detection-rules/impersonation_microsoft.yml +++ b/detection-rules/impersonation_microsoft.yml @@ -54,14 +54,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_paypal.yml b/detection-rules/impersonation_paypal.yml index 2ce6cecde42..556837e94c9 100644 --- a/detection-rules/impersonation_paypal.yml +++ b/detection-rules/impersonation_paypal.yml @@ -64,14 +64,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_spotify.yml b/detection-rules/impersonation_spotify.yml index c258ec87972..989da91b16d 100644 --- a/detection-rules/impersonation_spotify.yml +++ b/detection-rules/impersonation_spotify.yml @@ -32,14 +32,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_sublime_security.yml b/detection-rules/impersonation_sublime_security.yml index a83f6fc2b68..2d7e10449d9 100644 --- a/detection-rules/impersonation_sublime_security.yml +++ b/detection-rules/impersonation_sublime_security.yml @@ -24,14 +24,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_ups.yml b/detection-rules/impersonation_ups.yml index bd38a1f7a15..383f3a6e0ec 100644 --- a/detection-rules/impersonation_ups.yml +++ b/detection-rules/impersonation_ups.yml @@ -23,14 +23,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_vanta.yml b/detection-rules/impersonation_vanta.yml index b2f819778be..39c6d5ef1a0 100644 --- a/detection-rules/impersonation_vanta.yml +++ b/detection-rules/impersonation_vanta.yml @@ -24,14 +24,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_venmo.yml b/detection-rules/impersonation_venmo.yml index 4d7248b3af5..61b4f12f8d8 100644 --- a/detection-rules/impersonation_venmo.yml +++ b/detection-rules/impersonation_venmo.yml @@ -28,14 +28,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_vip_urgent_request.yml b/detection-rules/impersonation_vip_urgent_request.yml index f80878b81a0..02611bfeb1e 100644 --- a/detection-rules/impersonation_vip_urgent_request.yml +++ b/detection-rules/impersonation_vip_urgent_request.yml @@ -27,14 +27,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: - "BEC/Fraud" diff --git a/detection-rules/impersonation_wells_fargo.yml b/detection-rules/impersonation_wells_fargo.yml index 7ca3a7b50c5..c63f6bd6988 100644 --- a/detection-rules/impersonation_wells_fargo.yml +++ b/detection-rules/impersonation_wells_fargo.yml @@ -32,14 +32,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/link_credential_phishing.yml b/detection-rules/link_credential_phishing.yml index e34aa693dae..24184577d11 100644 --- a/detection-rules/link_credential_phishing.yml +++ b/detection-rules/link_credential_phishing.yml @@ -21,14 +21,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml index 08bd17e23b5..b8a2e2ec3c5 100644 --- a/detection-rules/link_microsoft_low_reputation.yml +++ b/detection-rules/link_microsoft_low_reputation.yml @@ -141,14 +141,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml index e406d25a7c8..ddbf41c778f 100644 --- a/detection-rules/link_qr_code_suspicious_language_fts.yml +++ b/detection-rules/link_qr_code_suspicious_language_fts.yml @@ -56,14 +56,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/qr_code_suspicious_indicators.yml b/detection-rules/qr_code_suspicious_indicators.yml index 166dd6edce3..a5a70fedcf8 100644 --- a/detection-rules/qr_code_suspicious_indicators.yml +++ b/detection-rules/qr_code_suspicious_indicators.yml @@ -46,14 +46,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: