Create rule: Generic Financial Document Template

[missingn0pe]

Description

Detects messages with generic 'dear sir/madam' greetings that reference payment releases & timelines, contain links with suspicious hosting or open redirects, and exhibit unusual recipient patterns such as self-sending or missing recipients.

Associated samples

- Sample 1

Associated hunts

- Hunt 1 (Shared Samples)
- Hunt 2 (Multi-hunt)

[missingn0pe]

Telemetry looks good. Low volume TTP but viable. 4 net new samps over L90D, good detection in depth.

One observable - There is similar style rule that matches after a few changes, but only hits 2 of the 91 samps flagged in this PR over L90D, this PR does not lean on profiles, and is a very specific pattern.

- Hunt 1 L90D (Shared Samps)
- Hunt 2 L30D (Multi-hunt)

[IndiaAce]

Hey dude, the telemetry on this rule is crazy good in Mode! batting 1000 for malicious in the last 14 days. A few things I want to point out: I see in the latest batch of rules that almost all of them match existing rules, I'm super down for detection in-depth, especially when we are resolving FNs, but I wanted to see if you had considered modifying the existing Business Email Compromise (BEC) attempt from untrusted sender rule to account for this? Been looking through the hunts and I see that a good amount of these similar emails matching the BEC rule so just wanted to toss it out.

Also, I've been working on a suite of rules for that excessive padding in the body of the email and made a PR to modify that rule and the existing generic document sharing rule to catch this sample as well, so we've got good detection-in-depth coming for this. #4556

[IndiaAce]

Gonna remove review-needed from this but feel free to shoot me a DM when you're ready for re-review for anything here!

[missingn0pe]

Hey dude, the telemetry on this rule is crazy good in Mode! batting 1000 for malicious in the last 14 days. A few things I want to point out: I see in the latest batch of rules that almost all of them match existing rules, I'm super down for detection in-depth, especially when we are resolving FNs, but I wanted to see if you had considered modifying the existing Business Email Compromise (BEC) attempt from untrusted sender rule to account for this? Been looking through the hunts and I see that a good amount of these similar emails matching the BEC rule so just wanted to toss it out.

Also, I've been working on a suite of rules for that excessive padding in the body of the email and made a PR to modify that rule and the existing generic document sharing rule to catch this sample as well, so we've got good detection-in-depth coming for this. #4556

Thanks! Given it's growing hit count, I found it a viable candidate for surfacing based on campaign template structure. I compared Business Email Compromise (BEC) attempt from untrusted sender rule against this sample, this sample does not fire nlu as BEC, it fires as cred_theft, which invalidated the rule as it is the primary condition of the rule.

[missingn0pe]

Updating logic & kicking to test rules.

Hunts:
- Hunt 1 (Multi) - New logic - L30D
- Hunt 2 (Multi) - New vs old logic - L30D
- Hunt 3 (Multi) - Old vs new logic - L30D
- Hunt 4 (Shared samps) - New logic - L90D
- Hunt 5 (Shared samps) - New vs old logic - L90D
- Hunt 6 (Shared samps) - Old vs new logic - L90D

[missingn0pe]

Quick update:

Adding nlu intent filter & simple character count to mitigate FP's & FN's introduced from removing greeting condition.

- Hunt 1 (Shared samps) - New logic - L90D
- Hunt 2 (Shared samps) - Old vs new - L90D
- Hunt 3 (Shared samps) - New vs old - L90D
- Hunt 4 (Multi) - New logic - L30D
- Hunt 5 (Multi) - New logic - Old vs new - L30D
- Hunt 6 (Multi) - New logic - New vs old - L30D

[missingn0pe]

A few changes after telemetry:

• The "will be released" branch now requires a specific date format (day of week + full date) within 15 chars, rather than matching on "will be released" alone.
• Tightened [1-4].[1-4] to [1-4]\W[1-4] to mitigate FP's.
• Changed display.text triggers
• Changed NLU confidence to mitigate scope creep
• Additional open redir trigger
• Removed goofy nlu filter that was mitigating a miss.

New free file host domain will be submitted for remaining misses.

Hunts:

- Hunt 1 (Shared Samps) - L30D - PR logic - 202 hits, 7 net new hits
- Hunt 2 (Shared Samps) - L30D - New vs old logic
- Hunt 3 (Shared samps) - L30D - Old vs new logic
- Hunt 4 (Multi) - L30D - PR logic
- Hunt 5 (Multi) - L30D - New vs old logic
- Hunt 6 (Multi) - L30D -Old vs new logic

[missingn0pe]

Can let bake for longer in test rules if needed as volume is still relatively low (only one new hit since yesterday in mode). Pushing to review needed for any additional changes needed!

[IndiaAce]

HOLY telemetry my dude these results look great. A few things to consider, these should be relatively small changes but I'm still going to remove review-needed but feel free to chuck it back my way whenever you're ready for a new review. Here's a hunt showing the diff for my suggested changes: https://platform.sublime.security/messages/hunt?huntId=019ebde3-400c-75f0-bdf0-c92402c2d30b lmk your thoughts!