Skip to content

Commit cc91493

Browse files
[Test Rules] [PR #4498] modified rule: Link: Generic financial document and suspicious hosting template
1 parent 56db966 commit cc91493

1 file changed

Lines changed: 5 additions & 11 deletions

File tree

detection-rules/4498_link_financial_document_timeline_template.yml

Lines changed: 5 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -4,26 +4,20 @@ type: "rule"
44
severity: "medium"
55
source: |
66
type.inbound
7-
// nlu filtering
8-
and not (
9-
any(ml.nlu_classifier(body.current_thread.text).intents, .name == "benign")
10-
and not length(body.current_thread.text) <= 1600
11-
)
12-
137
// expectation of time
148
and regex.icontains(body.current_thread.text,
15-
'will be released|\b[1-4].[1-4]\b.{1,10}days?'
9+
'will be released.{0,15}(?:(Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday),\s+(January|February|March|April|May|June|July|August|September|October|November|December)\s+\d{1,2},)|\b[1-4]\W[1-4]\b.{1,10}days'
1610
)
1711
1812
// link is malicious
1913
and any(body.links,
2014
// key phrasing or nlu
2115
(
2216
regex.icontains(.display_text,
23-
'(?:access|view).{0,10}|payment|statement'
17+
'(?:access|show|view).{0,10}(?:confirmation|message|payment|statement)|advice|deposit|document|eft|release|remit'
2418
)
2519
or any(ml.nlu_classifier(body.current_thread.text).topics,
26-
.name == "Request to View Invoice" and .confidence != "low"
20+
.name == "Request to View Invoice" and .confidence == "high"
2721
)
2822
)
2923
// suspicious hosting
@@ -32,7 +26,7 @@ source: |
3226
or .href_url.domain.tld in $suspicious_tlds
3327
or .href_url.domain.root_domain not in $tranco_1m
3428
// open redirect
35-
or strings.icontains(.href_url.query_params, '=https')
29+
or strings.icontains(.href_url.query_params, '=https', 'url=')
3630
)
3731
// negate org domains
3832
and .href_url.domain.valid != false
@@ -70,4 +64,4 @@ detection_methods:
7064
id: "1a6e4ced-4391-597f-9184-d4d1c57dedc7"
7165
og_id: "027cb65d-aee3-5f10-9555-20b719bbde42"
7266
testing_pr: 4498
73-
testing_sha: e6a854f326d20dc2452a4350622bd79e632a7d88
67+
testing_sha: b8a832d865599082a987be2bc64bcb4e71e777dd

0 commit comments

Comments
 (0)