Create fake_canada_taxrevenue_T4.yml

[cybher0808]

Description

Detects messages impersonating the Canada Revenue Agency (CRA) with attachments, using common tax-related subjects in both English and French, and containing CRA-related content in the message body.

Associated samples

• Sample 1

Associated hunts

• Hunt
• NetNew Hunt
• Multi-hunt 30D

[cybher0808]

In test-rules are a mixture of malicious and benign, the benign samples match on suspicious strings from file.explode. I have included hunting customer environments and they look suspicious/malicious - check in Notion for clarification.

[cybher0808]

Test-rules/multi-hunt outcome are looking good in this case from revisions. Majority of the samples are malicious.

[IndiaAce]

I've requested a few changes, going to remove the review-needed label for the time being. Feel free to add it back when you're ready for a re-review!

[github-actions]

Shared Samples Sync - Excluded

This PR contains 14 rules, which exceeds the maximum of 10 rules allowed per PR for automatic syncing.

This limit helps ensure the shared-samples environment remains manageable. If you need to test these rules, consider:

• Splitting the PR into smaller PRs with fewer rules
• Contacting Detection Operations to request a manual sync

[cybher0808]

Waiting for this hunt search to finish. Results have been shared from Mode and SS. Some environments have failed after hunting see ESC.

Made a few changes since there were FP's flagged with my previous written rule. Added the 3 of to this current rule to catch malicious characteristics.

Marking for R4R.

[IndiaAce]

I think we can simplify this logic a bit without needing all the topic negations and extra stuff, I've been running some hunts this morning that's just "says its from CRA, with cred theft, and isn't actually from them" let me know your thoughts but I think it's doing well. Feel free to grab this.

type.inbound
// sender claims to be CRA
and (
  strings.icontains(sender.display_name, 'canada revenue agency')
  or strings.icontains(sender.display_name, 'agence du revenu du canada')
  or (
    // cra display name and cra reference in subject
    regex.icontains(sender.display_name, '\bcra\b')
    and regex.icontains(subject.base,
                        '(?:T4|cra|tax|canada revenue|revenu du canada)'
    )
  )
)
// nlu cred theft
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence != 'low'
)
and not (
  (
    // negate highly trusted sender domains
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    // negate legit senders from merck
    or sender.email.domain.root_domain == "cra-arc.gc.ca"
  )
  // enforce auth
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

https://hunt.limeseed.email/hunts/dcd0dc39-7afd-4aea-bf40-a17b6480a35a
https://platform.sublime.security/messages/hunt?huntId=019e742e-bba0-753a-87c2-b8fd1e6905ec

Gonna remove review-needed for now but feel free to message me if you want a re-review on it.

[cybher0808]

I was a bit hesitant a bit since I felt like my last rule proposed felt like it was a mouth full, I like this clean up. Good approach here. I doubled check if I missed any.

I reran after sharing the multi-hunt results - solid count here --> hunt & ran a net-new, validation check. TY! @IndiaAce