diff --git a/detection-rules/observed_malicious_body_link_domains.yml b/detection-rules/observed_malicious_body_link_domains.yml new file mode 100644 index 00000000000..38ec56423b3 --- /dev/null +++ b/detection-rules/observed_malicious_body_link_domains.yml @@ -0,0 +1,25 @@ +name: "Observed IOC: Malicious domains in body links" +description: "Detects inbound messages containing links to known malicious domains in the message body. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed." +type: "rule" +severity: "high" +source: | + // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY + // Managed by automated IOC system + type.inbound + and any(body.current_thread.links, + hash.sha256(.href_url.domain.domain) in ( + '358871a6a4b575d4943918cc1cb7cfc82b6c93eb7b926bee522bc97b013f8710', // Observed malicious domain in message body links + '96cf4453229b1cdcc1fd94d07260c037a57b999ea93d6b6f360f655305a4ad86' // Observed malicious domain in message body links + ) + ) + +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "URL analysis" + - "Content analysis" +id: "e4f5a6b7-c8d9-4e1f-8a3b-c4d5e6f7a8b9" diff --git a/detection-rules/observed_malicious_body_link_root_domains.yml b/detection-rules/observed_malicious_body_link_root_domains.yml new file mode 100644 index 00000000000..b76073271f4 --- /dev/null +++ b/detection-rules/observed_malicious_body_link_root_domains.yml @@ -0,0 +1,25 @@ +name: "Observed IOC: Malicious root domains in body links" +description: "Detects inbound messages containing links to known malicious root domains in the message body. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed." +type: "rule" +severity: "high" +source: | + // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY + // Managed by automated IOC system + type.inbound + and any(body.current_thread.links, + hash.sha256(.href_url.domain.root_domain) in ( + '2b3a899b37c99e1be17799f8aa08cf09ba253fade16c0aa4aa5a92a28df3d492', // Invoice themed cred theft + 'bc470dca9be34cef8b0179168bf667fa4b2e2ea4e364e1b404033913bc8b11a0' // Encrypted Message fake Dropbox Lure + ) + ) + +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "URL analysis" + - "Content analysis" +id: "f5a6b7c8-d9e0-4f2a-9b4c-d5e6f7a8b9c0" diff --git a/detection-rules/observed_malicious_body_link_urls.yml b/detection-rules/observed_malicious_body_link_urls.yml new file mode 100644 index 00000000000..610a1b5c557 --- /dev/null +++ b/detection-rules/observed_malicious_body_link_urls.yml @@ -0,0 +1,25 @@ +name: "Observed IOC: Malicious URLs in body links" +description: "Detects inbound messages containing specific known malicious URLs in the message body. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed." +type: "rule" +severity: "high" +source: | + // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY + // Managed by automated IOC system + type.inbound + and any(body.current_thread.links, + hash.sha256(.href_url.url) in ( + '4256b75f07d4b2c28120637f3c5e492ee9037e6c9b815cf6bd849e73cfb59ab0', // Observed malicious Zoom impersonation URL + '9cbae8df195b24ca88dda3a5ce1c867b08243adadcfc65d36f7e9c2c3b601ac8' // Observed malicious Zoom impersonation URL + ) + ) + +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "URL analysis" + - "Content analysis" +id: "a6b7c8d9-e0f1-4a3b-ac5d-e6f7a8b9c0d1" diff --git a/detection-rules/observed_malicious_sender_domains.yml b/detection-rules/observed_malicious_sender_domains.yml new file mode 100644 index 00000000000..683c6a9b319 --- /dev/null +++ b/detection-rules/observed_malicious_sender_domains.yml @@ -0,0 +1,29 @@ +name: "Observed IOC: Malicious sender domains" +description: "Detects inbound messages sent from known malicious sender domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed." +type: "rule" +severity: "high" +source: | + // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY + // Managed by automated IOC system + type.inbound + and hash.sha256(sender.email.domain.domain) in ( + '0a6141ede4cee26d2290785f273077a1c8fb02994b1ea8443b7a05bee9ed9660', // Observed malicious sender domain + '4329aaaa62552b1c483a0de41ed0e2e525b87ed31b4cfccae105ef38791a9ab6', // Observed malicious sender domain + 'ae17c9b46750752e693bee15d77d940793862112ba2247f2f0506da9036dbe11', // Observed malicious sender domain + 'beb77deb75c7ba96d7a2096dec8ade6e8b4ea5ec6c72afc9fae054479e98fffa', // Observed malicious sender domain + 'e9c66e037a06bd8e1b07aff28f2e1644fc1684c294394a75d2c54ba1b0bc5b44', // Observed malicious sender domain + 'f9c727407117deb36e64c54263731370aa49caafa7348a04b6af9daf1b99767d', // Observed malicious sender domain + 'fd81a1ac33dca138eb203faa6d34bf1b446633b5a3b380927daabbbed9194c0c' // Observed malicious sender domain + ) + +attack_types: + - "BEC/Fraud" + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Impersonation: Domain" + - "Social engineering" +detection_methods: + - "Sender analysis" + - "Header analysis" +id: "c2d3e4f5-a6b7-4c9d-ae1f-a2b3c4d5e6f7" diff --git a/detection-rules/observed_malicious_sender_emails.yml b/detection-rules/observed_malicious_sender_emails.yml new file mode 100644 index 00000000000..267c263a61d --- /dev/null +++ b/detection-rules/observed_malicious_sender_emails.yml @@ -0,0 +1,25 @@ +name: "Observed IOC: Malicious sender email addresses" +description: "Detects inbound messages from known malicious sender email addresses. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed." +type: "rule" +severity: "high" +source: | + // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY + // Managed by automated IOC system + type.inbound + and hash.sha256(sender.email.email) in ( + '0cb0ec45f1392918c2f720f262df8883ae5feb7f3f7fcab3e39a0c659dd29e55', // Observed malicious sender + '5b5be14defe0402d391348747d654cefa42685470bcea9080c1db55a7beacddb', // Observed malicious sender email + 'c95e3bd1bf9cbd95ddef3c0516683f5b0f8c1f5e05ea4ceb35e81896bc7b27c7' // Observed malicious sender impersonating Google Workspace team + ) + +attack_types: + - "BEC/Fraud" + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Impersonation: Email address" + - "Social engineering" +detection_methods: + - "Sender analysis" + - "Header analysis" +id: "b1c2d3e4-f5a6-4b8c-9d0e-f1a2b3c4d5e6" diff --git a/detection-rules/observed_malicious_sender_root_domains.yml b/detection-rules/observed_malicious_sender_root_domains.yml new file mode 100644 index 00000000000..9ae4b33172c --- /dev/null +++ b/detection-rules/observed_malicious_sender_root_domains.yml @@ -0,0 +1,24 @@ +name: "Observed IOC: Malicious sender root domains" +description: "Detects inbound messages sent from known malicious sender root domains. IOC list is automatically managed and hashed by the IOC pipeline from the private threat intelligence feed." +type: "rule" +severity: "high" +source: | + // AUTO-GENERATED IOC LIST - DO NOT EDIT MANUALLY + // Managed by automated IOC system + type.inbound + and hash.sha256(sender.email.domain.root_domain) in ( + 'bca881482859b1d19364b40f36d9287fc56a073266ea2a6800f3f48cd927535f', // Subscription renewal callback + 'fed6d9c30d5d05ac9112171af40e3f217d546d89af8ff60fd0a7f05ba423aa06' // Subscription renewal callback + ) + +attack_types: + - "BEC/Fraud" + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Impersonation: Domain" + - "Social engineering" +detection_methods: + - "Sender analysis" + - "Header analysis" +id: "d3e4f5a6-b7c8-4d0e-bf2a-b3c4d5e6f7a8"