Skip to content

Update impersonation_fake_copyright_infringement_notice_from_unsolicited_sender.yml #4526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
missingn0pe wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update impersonation_fake_copyright_infringement_notice_from_unsolicited_sender.yml #4526

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
148 changes: 81 additions & 67 deletions detection-rules/impersonation_fake_copyright_infringement_notice_from_unsolicited_sender.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@ type: "rule"
severity: "medium"
source: |
type.inbound
and length(body.previous_threads) == 0
and (length(body.previous_threads) == 0 or length(headers.references) == 0)
and length(body.current_thread.text) < 5000
and 0 < length(body.links) < 10

// common strings in subject or base
and (
2 of (
Expand Down Expand Up @@ -43,81 +43,94 @@ source: |
strings.ilike(sender.display_name, '*Advisory*')
)
)

// common strings in email current thread
and 15 of (
strings.ilike(body.current_thread.text, '*copyright*'),
strings.ilike(body.current_thread.text, '*trademark*'),
strings.ilike(body.current_thread.text, '*inquiry*'),
strings.ilike(body.current_thread.text, '*online*'),
strings.ilike(body.current_thread.text, '*authorized*'),
strings.ilike(body.current_thread.text, '*legal*'),
strings.ilike(body.current_thread.text, '*represent*'),
strings.ilike(body.current_thread.text, '*lawful*'),
strings.ilike(body.current_thread.text, '*owner*'),
strings.ilike(body.current_thread.text, '*materials*'),
strings.ilike(body.current_thread.text, '*protected*'),
strings.ilike(body.current_thread.text, '*infring*'),
strings.ilike(body.current_thread.text, '*immediate*'),
strings.ilike(body.current_thread.text, '*cessation*'),
strings.ilike(body.current_thread.text, '*content*'),
strings.ilike(body.current_thread.text, '*referenced*'),
strings.ilike(body.current_thread.text, '*17 U.S.C. §*'),
strings.ilike(body.current_thread.text, '*constitutes*'),
strings.ilike(body.current_thread.text, '*authorization*'),
strings.ilike(body.current_thread.text, '*removal*'),
strings.ilike(body.current_thread.text, '*comply*'),
strings.ilike(body.current_thread.text, '*failure*'),
strings.ilike(body.current_thread.text, '*law firm*'),
strings.ilike(body.current_thread.text, '*LLP*'),
strings.ilike(body.current_thread.text, '*compliance*'),
strings.ilike(body.current_thread.text, '*cease*'),
strings.ilike(body.current_thread.text, '*protect*'),
strings.ilike(body.current_thread.text, '*rights*'),
strings.ilike(body.current_thread.text, '*penalty*'),
strings.ilike(body.current_thread.text, '*perjury*'),
strings.ilike(body.current_thread.text, '*holder*'),
strings.ilike(body.current_thread.text, '*declare*'),
strings.ilike(body.current_thread.text, '*sworn*'),
strings.ilike(body.current_thread.text, '*affidavit*'),
strings.ilike(body.current_thread.text, '*investigation*'),
strings.ilike(body.current_thread.text, '*identified*'),
strings.ilike(body.current_thread.text, '*reproduction*'),
strings.ilike(body.current_thread.text, '*license*'),
strings.ilike(body.current_thread.text, '*granted*'),
strings.ilike(body.current_thread.text, '*permitting*'),
strings.ilike(body.current_thread.text, '*evidence*'),
strings.ilike(body.current_thread.text, '*proceedings*'),
strings.ilike(body.current_thread.text, '*evidentiary*'),
strings.ilike(body.current_thread.text, '*remove*'),
strings.ilike(body.current_thread.text, '*suspend*'),
strings.ilike(body.current_thread.text, '*discontinue*'),
strings.ilike(body.current_thread.text, '*72 hours*'),
strings.ilike(body.current_thread.text, '*48 hours*'),
strings.ilike(body.current_thread.text, '*24 hours*'),
strings.ilike(body.current_thread.text, '*proof*'),
strings.ilike(body.current_thread.text, '*unresolved*'),
strings.ilike(body.current_thread.text, '*accordance*'),
strings.ilike(body.current_thread.text, '*procedures*'),
strings.ilike(body.current_thread.text, '*interests*'),
strings.ilike(body.current_thread.text, '*appeal*'),
strings.ilike(body.current_thread.text, '*clarification*'),
strings.ilike(body.current_thread.text, '*notice*'),
strings.ilike(body.current_thread.text, '*dissemination*'),
strings.ilike(body.current_thread.text, '*counter-notice*'),
strings.ilike(body.current_thread.text, '*exploitation*')
and (
15 of (
strings.ilike(body.current_thread.text, '*copyright*'),
strings.ilike(body.current_thread.text, '*trademark*'),
strings.ilike(body.current_thread.text, '*inquiry*'),
strings.ilike(body.current_thread.text, '*online*'),
strings.ilike(body.current_thread.text, '*authorized*'),
strings.ilike(body.current_thread.text, '*legal*'),
strings.ilike(body.current_thread.text, '*represent*'),
strings.ilike(body.current_thread.text, '*lawful*'),
strings.ilike(body.current_thread.text, '*owner*'),
strings.ilike(body.current_thread.text, '*materials*'),
strings.ilike(body.current_thread.text, '*protected*'),
strings.ilike(body.current_thread.text, '*infring*'),
strings.ilike(body.current_thread.text, '*immediate*'),
strings.ilike(body.current_thread.text, '*cessation*'),
strings.ilike(body.current_thread.text, '*content*'),
strings.ilike(body.current_thread.text, '*referenced*'),
strings.ilike(body.current_thread.text, '*17 U.S.C. §*'),
strings.ilike(body.current_thread.text, '*constitutes*'),
strings.ilike(body.current_thread.text, '*authorization*'),
strings.ilike(body.current_thread.text, '*removal*'),
strings.ilike(body.current_thread.text, '*comply*'),
strings.ilike(body.current_thread.text, '*failure*'),
strings.ilike(body.current_thread.text, '*law firm*'),
strings.ilike(body.current_thread.text, '*LLP*'),
strings.ilike(body.current_thread.text, '*compliance*'),
strings.ilike(body.current_thread.text, '*cease*'),
strings.ilike(body.current_thread.text, '*protect*'),
strings.ilike(body.current_thread.text, '*rights*'),
strings.ilike(body.current_thread.text, '*penalty*'),
strings.ilike(body.current_thread.text, '*perjury*'),
strings.ilike(body.current_thread.text, '*holder*'),
strings.ilike(body.current_thread.text, '*declare*'),
strings.ilike(body.current_thread.text, '*sworn*'),
strings.ilike(body.current_thread.text, '*affidavit*'),
strings.ilike(body.current_thread.text, '*investigation*'),
strings.ilike(body.current_thread.text, '*identified*'),
strings.ilike(body.current_thread.text, '*reproduction*'),
strings.ilike(body.current_thread.text, '*license*'),
strings.ilike(body.current_thread.text, '*granted*'),
strings.ilike(body.current_thread.text, '*permitting*'),
strings.ilike(body.current_thread.text, '*evidence*'),
strings.ilike(body.current_thread.text, '*proceedings*'),
strings.ilike(body.current_thread.text, '*evidentiary*'),
strings.ilike(body.current_thread.text, '*remove*'),
strings.ilike(body.current_thread.text, '*suspend*'),
strings.ilike(body.current_thread.text, '*discontinue*'),
strings.ilike(body.current_thread.text, '*72 hours*'),
strings.ilike(body.current_thread.text, '*48 hours*'),
strings.ilike(body.current_thread.text, '*24 hours*'),
strings.ilike(body.current_thread.text, '*proof*'),
strings.ilike(body.current_thread.text, '*unresolved*'),
strings.ilike(body.current_thread.text, '*accordance*'),
strings.ilike(body.current_thread.text, '*procedures*'),
strings.ilike(body.current_thread.text, '*interests*'),
strings.ilike(body.current_thread.text, '*appeal*'),
strings.ilike(body.current_thread.text, '*clarification*'),
strings.ilike(body.current_thread.text, '*notice*'),
strings.ilike(body.current_thread.text, '*dissemination*'),
strings.ilike(body.current_thread.text, '*counter-notice*'),
strings.ilike(body.current_thread.text, '*exploitation*')
)
or (
any(ml.nlu_classifier(body.current_thread.text).topics,
.name == "Legal and Compliance" and .confidence != 'low'
)
and length(attachments) == 0
// fake attachment card: bordered div containing a link that looks like a PDF file
and length(html.xpath(body.html,
'//div[contains(@style, "border")][.//a[contains(., ".pdf")]]'
).nodes
) > 0
)
)

// remove phrase from legitimate complaint
and not regex.icontains(body.current_thread.text,
'(?:we are passing the notice below|content has been removed|removed from our website|notice of intended action|I have not granted|I am the original creator|content you reported has been removed|complaint will be carefully reviewed|provide a list of violations|document confirming your right to act)'
)

// not copyright reports
and not regex.icontains(body.current_thread.text,
'(?:confirmation|received).{0,100}copyright report'
)

// verified dmca receiving/sending address
and not any([recipients.cc, recipients.to, recipients.bcc],
any(.,
Expand All @@ -130,6 +143,7 @@ source: |
)
)
and not strings.icontains(sender.email.domain.root_domain, 'edwinjamesip.com')

attack_types:
- "BEC/Fraud"
- "Extortion"
Expand Down
Loading