diff --git a/detection-rules/fake_thread_suspicious_indicators.yml b/detection-rules/fake_thread_suspicious_indicators.yml index 295753711be..29ebf13955d 100644 --- a/detection-rules/fake_thread_suspicious_indicators.yml +++ b/detection-rules/fake_thread_suspicious_indicators.yml @@ -119,8 +119,24 @@ source: | // body contains name of VIP ( - any($org_vips, strings.icontains(body.html.inner_text, .display_name)) - or any($org_vips, strings.icontains(body.plain.raw, .display_name)) + any($org_vips, + strings.icontains(body.html.inner_text, .display_name) + or strings.icontains(body.html.inner_text, + strings.concat(.first_name, " ", .last_name) + ) + or strings.icontains(body.html.inner_text, + strings.concat(.last_name, ", ", .first_name) + ) + ) + or any($org_vips, + strings.icontains(body.plain.raw, .display_name) + or strings.icontains(body.plain.raw, + strings.concat(.first_name, " ", .last_name) + ) + or strings.icontains(body.plain.raw, + strings.concat(.last_name, ", ", .first_name) + ) + ) ), // new body domain diff --git a/detection-rules/impersonation_google_groups_suspicious.yml b/detection-rules/impersonation_google_groups_suspicious.yml index ba96ff00b00..e804d5ac21d 100644 --- a/detection-rules/impersonation_google_groups_suspicious.yml +++ b/detection-rules/impersonation_google_groups_suspicious.yml @@ -9,10 +9,34 @@ source: | // subject, sender or reply to contains a VIP and ( any(headers.reply_to, - any($org_vips, strings.contains(.display_name, ..display_name)) + any($org_vips, + strings.contains(.display_name, ..display_name) + or strings.contains(strings.concat(.first_name, " ", .last_name), + ..display_name + ) + or strings.contains(strings.concat(.last_name, ", ", .first_name), + ..display_name + ) + ) + ) + or any($org_vips, + strings.contains(subject.subject, .display_name) + or strings.contains(subject.subject, + strings.concat(.first_name, " ", .last_name) + ) + or strings.contains(subject.subject, + strings.concat(.last_name, ", ", .first_name) + ) + ) + or any($org_vips, + strings.contains(sender.display_name, .display_name) + or strings.contains(sender.display_name, + strings.concat(.first_name, " ", .last_name) + ) + or strings.contains(sender.display_name, + strings.concat(.last_name, ", ", .first_name) + ) ) - or any($org_vips, strings.contains(subject.subject, .display_name)) - or any($org_vips, strings.contains(sender.display_name, .display_name)) ) and any(headers.hops, any(.fields, @@ -53,7 +77,7 @@ source: | ) ), - // reply-to is freemail + // reply-to is freemail any(headers.reply_to, .email.domain.domain in $free_email_providers), // reply-to is not in $recipient_emails diff --git a/detection-rules/service_abuse_trello_board_invite_vip.yml b/detection-rules/service_abuse_trello_board_invite_vip.yml index 42b7b18c7c8..59bc3b3aa3b 100644 --- a/detection-rules/service_abuse_trello_board_invite_vip.yml +++ b/detection-rules/service_abuse_trello_board_invite_vip.yml @@ -27,7 +27,15 @@ source: | // org_sld as the start of the board name with the org_vip as the sender any(html.xpath(body.html, '//h2').nodes, // org vip - any($org_vips, strings.icontains(..display_text, .display_name)) + any($org_vips, + strings.icontains(..display_text, .display_name) + or strings.icontains(..display_text, + strings.concat(.first_name, " ", .last_name) + ) + or strings.icontains(..display_text, + strings.concat(.last_name, ", ", .first_name) + ) + ) // org sld as the board name and any($org_slds, strings.icontains(..display_text, @@ -41,7 +49,21 @@ source: | ).nodes, strings.starts_with(.display_text, 'A note from ') and strings.iends_with(.display_text, 'From') - and any($org_vips, strings.icontains(..display_text, .display_name)) + and any($org_vips, + strings.icontains(..display_text, .display_name) + or strings.icontains(..display_text, + strings.concat(.first_name, + " ", + .last_name + ) + ) + or strings.icontains(..display_text, + strings.concat(.last_name, + ", ", + .first_name + ) + ) + ) ) ) attack_types: diff --git a/detection-rules/vip_impersonation_charity.yml b/detection-rules/vip_impersonation_charity.yml index 479b3e9a269..43bdfbc89fe 100644 --- a/detection-rules/vip_impersonation_charity.yml +++ b/detection-rules/vip_impersonation_charity.yml @@ -17,8 +17,24 @@ source: | .name == "request" ) and ( - any($org_vips, strings.icontains(body.html.inner_text, .display_name)) - or any($org_vips, strings.icontains(body.plain.raw, .display_name)) + any($org_vips, + strings.icontains(body.html.inner_text, .display_name) + or strings.icontains(body.html.inner_text, + strings.concat(.first_name, " ", .last_name) + ) + or strings.icontains(body.html.inner_text, + strings.concat(.last_name, ", ", .first_name) + ) + ) + or any($org_vips, + strings.icontains(body.plain.raw, .display_name) + or strings.icontains(body.plain.raw, + strings.concat(.first_name, " ", .last_name) + ) + or strings.icontains(body.plain.raw, + strings.concat(.last_name, ", ", .first_name) + ) + ) ) and ( ( @@ -57,7 +73,6 @@ source: | or profile.by_sender().days_known > 30 ) and not profile.by_sender().any_messages_benign - attack_types: - "BEC/Fraud" tactics_and_techniques: diff --git a/detection-rules/vip_impersonation_fake_thread.yml b/detection-rules/vip_impersonation_fake_thread.yml index 2e9ff32151b..651f1e24c41 100644 --- a/detection-rules/vip_impersonation_fake_thread.yml +++ b/detection-rules/vip_impersonation_fake_thread.yml @@ -5,16 +5,60 @@ severity: "medium" source: | type.inbound and any($org_vips, - strings.icontains(body.html.display_text, - strings.concat("From: ", .display_name, " <") + ( + strings.icontains(body.html.display_text, + strings.concat("From: ", .display_name, " <") + ) + or strings.icontains(body.html.display_text, + strings.concat("From: ", + strings.concat(.first_name, + " ", + .last_name + ), + " <" + ) + ) + or strings.icontains(body.html.display_text, + strings.concat("From: ", + strings.concat(.last_name, + ", ", + .first_name + ), + " <" + ) + ) ) - and not strings.icontains(body.html.display_text, - strings.concat("From: ", - .display_name, - " <", - .email, - ">" - ) + and not ( + strings.icontains(body.html.display_text, + strings.concat("From: ", + .display_name, + " <", + .email, + ">" + ) + ) + or strings.icontains(body.html.display_text, + strings.concat("From: ", + strings.concat(.first_name, + " ", + .last_name + ), + " <", + .email, + ">" + ) + ) + or strings.icontains(body.html.display_text, + strings.concat("From: ", + strings.concat(.last_name, + ", ", + .first_name + ), + " <", + .email, + ">" + ) + ) ) ) and any([body.current_thread.text, body.html.display_text, body.plain.raw], diff --git a/detection-rules/vip_impersonation_subject.yml b/detection-rules/vip_impersonation_subject.yml index 1f233159dd6..11222d92e31 100644 --- a/detection-rules/vip_impersonation_subject.yml +++ b/detection-rules/vip_impersonation_subject.yml @@ -13,7 +13,15 @@ severity: "medium" source: | type.inbound and any($org_vips, - strings.contains(subject.subject, .display_name) + ( + strings.contains(subject.subject, .display_name) + or strings.contains(subject.subject, + strings.concat(.first_name, " ", .last_name) + ) + or strings.contains(subject.subject, + strings.concat(.last_name, ", ", .first_name) + ) + ) and strings.contains(.display_name, " ") ) // not being sent to said VIP @@ -23,7 +31,21 @@ source: | and all(recipients.to, any($org_vips, .email == ..email.email - and strings.contains(subject.subject, .display_name) + and ( + strings.contains(subject.subject, .display_name) + or strings.contains(subject.subject, + strings.concat(.first_name, + " ", + .last_name + ) + ) + or strings.contains(subject.subject, + strings.concat(.last_name, + ", ", + .first_name + ) + ) + ) and strings.contains(.display_name, " ") ) ) @@ -77,7 +99,6 @@ source: | ) or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) - tags: - "Attack surface reduction" attack_types: