diff --git a/detection-rules/link_credential_phishing_cloud_service.yml b/detection-rules/link_credential_phishing_cloud_service.yml new file mode 100644 index 00000000000..e982756b6aa --- /dev/null +++ b/detection-rules/link_credential_phishing_cloud_service.yml @@ -0,0 +1,43 @@ +name: "Link: Cloud service with credential theft language" +description: "Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji, contains links to external domains not matching the sender's domain, and lacks recipient identification entities." +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + strings.starts_with(body.current_thread.text, 'Cloud') + // cloud emoji + or regex.contains(body.current_thread.text, '^\x{2601}') + ) + and any(ml.nlu_classifier(body.current_thread.text).intents, + .name == 'cred_theft' and .confidence == 'high' + ) + and any(ml.nlu_classifier(body.current_thread.text).topics, + .name == 'File Sharing and Cloud Services' and .confidence == 'high' + ) + // sender domain matches no body domains + and length(body.links) > 0 + and all(body.links, + .href_url.domain.root_domain != sender.email.domain.root_domain + ) + // negate legit cloud companies + and not ( + sender.email.domain.root_domain in ("cloud-cme.com", "cloudcounting.online") + // check for SPF or DMARC passed + and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass) + ) + // negate highly trusted sender domains unless they fail DMARC authentication + and not ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and coalesce(headers.auth_summary.dmarc.pass, false) + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Content analysis" + - "Natural Language Understanding" + - "Sender analysis" + - "URL analysis" +id: "5f1395a6-e2ae-5175-ad29-5f35111219fd"