From f55e151e4bccf2147129207be4a4df0f174efd2d Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Fri, 20 Dec 2024 15:49:04 -0600 Subject: [PATCH 1/3] Create headers_DL_unsolicited.yml --- detection-rules/headers_DL_unsolicited.yml | 60 ++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 detection-rules/headers_DL_unsolicited.yml diff --git a/detection-rules/headers_DL_unsolicited.yml b/detection-rules/headers_DL_unsolicited.yml new file mode 100644 index 00000000000..0c7cea52a7e --- /dev/null +++ b/detection-rules/headers_DL_unsolicited.yml @@ -0,0 +1,60 @@ +name: "Inbound Message Via Newly Observed Distribution List" +description: "Detects when a message comes through a distribution list by matching on return paths containing Sender Rewrite Scheme (SRS) from a previously unknown domain sender to a single recipient who has never interacted with the organization. This method has been observed being abused by threat actors to deliver callback phishing." +type: "rule" +severity: "medium" +source: | + type.inbound + and length(recipients.to) == 1 + and length(recipients.cc) == 0 + and length(recipients.bcc) == 0 + // message is not from a free mail provider, we have only observed sevice providers abused + and sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $free_email_providers + and not any(recipients.to, .email.email =~ sender.email.email) + // uses Sender Rewrite Scheme indicating the message traversed a distribtion list or other automatic relay + and strings.icontains(headers.return_path.local_part, "+SRS=") + + // the sender and recipient is not in $org_domains + and sender.email.domain.domain not in $org_domains + // the recipient has never sent an email to the org + and all(recipients.to, + .email.domain.domain not in $org_domains + // ensure the recipient domain has never send/received an email to/from the org + and ( + ( + .email.domain.domain not in $sender_domains + and .email.domain.root_domain not in $sender_domains + and .email.domain.domain not in $recipient_domains + and .email.domain.root_domain not in $recipient_domains + ) + or .email.domain.root_domain in ("onmicrosoft.com") + ) + ) + + + // check the return path to ensure it's not related to our sender or the mailbox at all + and not strings.iends_with(headers.return_path.local_part, + strings.concat('@', sender.email.domain.domain) + ) + and not strings.icontains(headers.return_path.local_part, + mailbox.email.local_part + ) + + // not an inbox rule or automatic forward from a Microsoft Account + and not any(headers.hops, + any(.fields, + .name in ( + 'X-MS-Exchange-ForwardingLoop', + 'X-MS-Exchange-Inbox-Rules-Loop' + ) + ) + ) + +attack_types: + - "Callback Phishing" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" From 75dbfd72d918ad1d1f780cf40e1f4e3c49d456d9 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Fri, 20 Dec 2024 21:50:03 +0000 Subject: [PATCH 2/3] Auto add rule ID --- detection-rules/headers_DL_unsolicited.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/headers_DL_unsolicited.yml b/detection-rules/headers_DL_unsolicited.yml index 0c7cea52a7e..06e669273bf 100644 --- a/detection-rules/headers_DL_unsolicited.yml +++ b/detection-rules/headers_DL_unsolicited.yml @@ -58,3 +58,4 @@ tactics_and_techniques: detection_methods: - "Header analysis" - "Sender analysis" +id: "8f4bc148-a6b3-5dc4-9d2b-893c38c86c48" From 7fc7c6d5d5562a68d038c7d5c97278ef8e4522c2 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Wed, 8 Jan 2025 10:33:27 -0600 Subject: [PATCH 3/3] Update headers_DL_unsolicited.yml --- detection-rules/headers_DL_unsolicited.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/detection-rules/headers_DL_unsolicited.yml b/detection-rules/headers_DL_unsolicited.yml index 06e669273bf..675bc0f5cc4 100644 --- a/detection-rules/headers_DL_unsolicited.yml +++ b/detection-rules/headers_DL_unsolicited.yml @@ -30,7 +30,11 @@ source: | or .email.domain.root_domain in ("onmicrosoft.com") ) ) - + // if there are reply-to addresses, ensure they are also not assoicated with the org + and all(headers.reply_to, + .email.domain.domain not in $org_domains + and .display_name not in $org_display_names + ) // check the return path to ensure it's not related to our sender or the mailbox at all and not strings.iends_with(headers.return_path.local_part, @@ -49,7 +53,6 @@ source: | ) ) ) - attack_types: - "Callback Phishing" tactics_and_techniques: