From d318a231ee3ae247204a59c8a559899bdc2fb092 Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Wed, 11 Dec 2024 06:04:28 +0000 Subject: [PATCH] Sync from PR#2151 Create impersonation_capitalone.yml by @zoomequipd https://github.com/sublime-security/sublime-rules/pull/2151 Source SHA e25946f9744fd7555ee90570c834a3c8fedf2a09 Triggered by @zoomequipd --- detection-rules/impersonation_capitalone.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detection-rules/impersonation_capitalone.yml b/detection-rules/impersonation_capitalone.yml index a821b917343..047927ec50e 100644 --- a/detection-rules/impersonation_capitalone.yml +++ b/detection-rules/impersonation_capitalone.yml @@ -2,7 +2,7 @@ name: "Brand Impersonation: Capital One" description: "This detection rule identifies inbound messages containing Capital One branding indicators in display names, sender addresses, message content, or embedded logos, while excluding legitimate Capital One domains and authenticated communications from known trusted senders." type: "rule" severity: "high" -source: "type.inbound\nand \n // display name contains captialone\n (\n strings.icontains(strings.replace_confusables(sender.display_name),\n 'Capital One'\n )\n // no spaces\n or strings.icontains(strings.replace_confusables(sender.display_name),\n 'Capital One'\n )\n // levenshtein distince similar to captial one\n or strings.ilevenshtein(strings.replace_confusables(sender.display_name),\n 'Capital One'\n ) <= 2\n // sender localpart contains captialone\n or strings.icontains(strings.replace_confusables(sender.email.local_part),\n 'capitalone'\n )\n // indicators in the footer\n or strings.ilike(strings.replace_confusables(body.current_thread.text),\n 'Capital One Financial Corp'\n )\n or strings.ilike(strings.replace_confusables(body.current_thread.text),\n '1680 Capital One Drive'\n )\n or any(ml.logo_detect(beta.message_screenshot()).brands, .name == \"Capital One Bank\" and .confidence != \"low\")\n \n)\nand not (\n sender.email.domain.root_domain in $org_domains\n or (\n sender.email.domain.root_domain in (\n \"capitalone.com\",\n \"capitaloneshopping.com\",\n \"capitalonesoftware.com\",\n \"olbanking.com\", // a fiserv.one domain\n \"bynder.com\", // Digital Assest Mgmt\n \"gcs-web.com\", // investor relations run by capital one\n \"capitalonearena.com\", // the arena\n \"monumentalsports.com\", // the company that owns a bunch of teams that play at the arena?\n )\n and headers.auth_summary.dmarc.pass\n )\n)\n\n// and the sender is not from high trust sender root domains\nand (\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and not headers.auth_summary.dmarc.pass\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n" +source: "type.inbound\nand \n// display name contains captialone\n(\n (\n strings.icontains(strings.replace_confusables(sender.display_name),\n 'Capital One'\n )\n and not strings.icontains(strings.replace_confusables(sender.display_name),\n 'Capital One Arena'\n )\n )\n // no spaces\n or strings.icontains(strings.replace_confusables(sender.display_name),\n 'CapitalOne'\n )\n // levenshtein distince similar to captial one\n or strings.ilevenshtein(strings.replace_confusables(sender.display_name),\n 'Capital One'\n ) <= 2\n // sender localpart contains captialone\n or strings.icontains(strings.replace_confusables(sender.email.local_part),\n 'capitalone'\n )\n // indicators in the footer\n or strings.ilike(strings.replace_confusables(body.current_thread.text),\n 'Capital One Financial Corp'\n )\n or strings.ilike(strings.replace_confusables(body.current_thread.text),\n '1680 Capital One Drive'\n )\n or any(ml.logo_detect(beta.message_screenshot()).brands,\n .name == \"Capital One Bank\" and .confidence != \"low\"\n )\n)\nand not (\n sender.email.domain.root_domain in $org_domains\n or (\n sender.email.domain.root_domain in (\n \"capitalone.co.uk\",\n \"capitalone.com\",\n \"capitaloneshopping.com\",\n \"capitalonesoftware.com\",\n \"capitalonebooking.com\",\n \"capitalonetravel.com\",\n \"olbanking.com\", // a fiserv.one domain\n \"bynder.com\", // Digital Assest Mgmt\n \"gcs-web.com\", // investor relations run by capital one\n \"capitalonearena.com\", // the arena\n \"monumentalsports.com\", // the company that owns a bunch of teams that play at the arena?\n \"ticketmaster.com\", // sell and advertises tickets at Capital One Arena\n )\n and headers.auth_summary.dmarc.pass\n )\n)\n// avoid FPs on branded cards by checking for common disclaimer text\n// Capital One uses Visa and Mastercard\n// https://www.capitalone.com/learn-grow/money-management/is-capital-one-visa-or-mastercard/\nand not strings.icontains(body.current_thread.text,\n 'Mastercard is a registered trademark, and the circles design is a trademark of Mastercard International Incorporated'\n)\n\n// and the sender is not from high trust sender root domains\nand (\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and not headers.auth_summary.dmarc.pass\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n" attack_types: - "Credential Phishing" tactics_and_techniques: @@ -15,4 +15,4 @@ detection_methods: - "Header analysis" id: "d53848e4-fc40-5bd1-ad5e-c9c4e85a669f" testing_pr: 2151 -testing_sha: 74139e76373f352b20e37ee70b8baea39bc9127e +testing_sha: e25946f9744fd7555ee90570c834a3c8fedf2a09