Sync from PR#2151

Create impersonation_capitalone.yml by @zoomequipd #2151 Source SHA e25946f Triggered by @zoomequipd
sublime-security · Dec 11, 2024 · d318a23 · d318a23
1 parent 3393534
commit d318a23
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/detection-rules/impersonation_capitalone.yml b/detection-rules/impersonation_capitalone.yml
@@ -2,7 +2,7 @@ name: "Brand Impersonation: Capital One"
 description: "This detection rule identifies inbound messages containing Capital One branding indicators in display names, sender addresses, message content, or embedded logos, while excluding legitimate Capital One domains and authenticated communications from known trusted senders."
 type: "rule"
 severity: "high"
-source: "type.inbound\nand \n  // display name contains captialone\n  (\n    strings.icontains(strings.replace_confusables(sender.display_name),\n                      'Capital One'\n    )\n    // no spaces\n    or strings.icontains(strings.replace_confusables(sender.display_name),\n                         'Capital One'\n    )\n    // levenshtein distince similar to captial one\n    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),\n                            'Capital One'\n    ) <= 2\n    // sender localpart contains captialone\n    or strings.icontains(strings.replace_confusables(sender.email.local_part),\n                         'capitalone'\n    )\n    // indicators in the footer\n    or strings.ilike(strings.replace_confusables(body.current_thread.text),\n                     'Capital One Financial Corp'\n    )\n    or strings.ilike(strings.replace_confusables(body.current_thread.text),\n                     '1680 Capital One Drive'\n    )\n    or any(ml.logo_detect(beta.message_screenshot()).brands, .name == \"Capital One Bank\" and .confidence != \"low\")\n  \n)\nand not (\n  sender.email.domain.root_domain in $org_domains\n  or (\n    sender.email.domain.root_domain in (\n      \"capitalone.com\",\n      \"capitaloneshopping.com\",\n      \"capitalonesoftware.com\",\n      \"olbanking.com\", // a fiserv.one domain\n      \"bynder.com\", // Digital Assest Mgmt\n      \"gcs-web.com\", // investor relations run by capital one\n      \"capitalonearena.com\", // the arena\n      \"monumentalsports.com\", // the company that owns a bunch of teams that play at the arena?\n    )\n    and headers.auth_summary.dmarc.pass\n  )\n)\n\n// and the sender is not from high trust sender root domains\nand (\n  (\n    sender.email.domain.root_domain in $high_trust_sender_root_domains\n    and not headers.auth_summary.dmarc.pass\n  )\n  or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n"
+source: "type.inbound\nand \n// display name contains captialone\n(\n  (\n    strings.icontains(strings.replace_confusables(sender.display_name),\n                      'Capital One'\n    )\n    and not strings.icontains(strings.replace_confusables(sender.display_name),\n                              'Capital One Arena'\n    )\n  )\n  // no spaces\n  or strings.icontains(strings.replace_confusables(sender.display_name),\n                       'CapitalOne'\n  )\n  // levenshtein distince similar to captial one\n  or strings.ilevenshtein(strings.replace_confusables(sender.display_name),\n                          'Capital One'\n  ) <= 2\n  // sender localpart contains captialone\n  or strings.icontains(strings.replace_confusables(sender.email.local_part),\n                       'capitalone'\n  )\n  // indicators in the footer\n  or strings.ilike(strings.replace_confusables(body.current_thread.text),\n                   'Capital One Financial Corp'\n  )\n  or strings.ilike(strings.replace_confusables(body.current_thread.text),\n                   '1680 Capital One Drive'\n  )\n  or any(ml.logo_detect(beta.message_screenshot()).brands,\n         .name == \"Capital One Bank\" and .confidence != \"low\"\n  )\n)\nand not (\n  sender.email.domain.root_domain in $org_domains\n  or (\n    sender.email.domain.root_domain in (\n      \"capitalone.co.uk\",\n      \"capitalone.com\",\n      \"capitaloneshopping.com\",\n      \"capitalonesoftware.com\",\n      \"capitalonebooking.com\",\n      \"capitalonetravel.com\",\n      \"olbanking.com\", // a fiserv.one domain\n      \"bynder.com\", // Digital Assest Mgmt\n      \"gcs-web.com\", // investor relations run by capital one\n      \"capitalonearena.com\", // the arena\n      \"monumentalsports.com\", // the company that owns a bunch of teams that play at the arena?\n      \"ticketmaster.com\", // sell and advertises tickets at Capital One Arena\n    )\n    and headers.auth_summary.dmarc.pass\n  )\n)\n// avoid FPs on branded cards by checking for common disclaimer text\n// Capital One uses Visa and Mastercard\n// https://www.capitalone.com/learn-grow/money-management/is-capital-one-visa-or-mastercard/\nand not strings.icontains(body.current_thread.text,\n                          'Mastercard is a registered trademark, and the circles design is a trademark of Mastercard International Incorporated'\n)\n\n// and the sender is not from high trust sender root domains\nand (\n  (\n    sender.email.domain.root_domain in $high_trust_sender_root_domains\n    and not headers.auth_summary.dmarc.pass\n  )\n  or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n"
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
@@ -15,4 +15,4 @@ detection_methods:
   - "Header analysis"
 id: "d53848e4-fc40-5bd1-ad5e-c9c4e85a669f"
 testing_pr: 2151
-testing_sha: 74139e76373f352b20e37ee70b8baea39bc9127e
+testing_sha: e25946f9744fd7555ee90570c834a3c8fedf2a09