From 051c795f542b7a2d360b98b1ab3cb2665d15670a Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Thu, 12 Dec 2024 05:02:17 +0000 Subject: [PATCH] Scheduled cleanup Removed 2194 --- ...mpersonation_sender_local_part_org_sld.yml | 42 ------------------- 1 file changed, 42 deletions(-) delete mode 100644 detection-rules/impersonation_sender_local_part_org_sld.yml diff --git a/detection-rules/impersonation_sender_local_part_org_sld.yml b/detection-rules/impersonation_sender_local_part_org_sld.yml deleted file mode 100644 index 3164b7e2678..00000000000 --- a/detection-rules/impersonation_sender_local_part_org_sld.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: "Organization Domain Impersonation From New Sender" -description: "Detects when an external sender uses the organization's domain as part of the sender's email address while sending links or attachments. The sender must be new or unusual, and either lacks prior reputation or has been previously flagged without false positives." -type: "rule" -severity: "low" -source: | - type.inbound - // contains a link or attachment - and (length(attachments) > 0 or length(body.links) > 0) - // has a recipient in the To field - and length(recipients.to) > 0 - // all the recipients are witihn the $org_domains - and all(recipients.to, .email.domain.domain in $org_domains) - // sender is not within the org_domain - and sender.email.domain.root_domain not in $org_domains - // the local part of the sender contains an SLD of the org - and any($org_slds, - // length check avoids FPs on short SLDs - length(.) > 3 and strings.icontains(sender.email.local_part, .) - ) - - and ( - // the sender prevalence is new / outlier - profile.by_sender().prevalence in ("new", "outlier") - // or it's been flagged malicious/spam with now FPs - or ( - profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_false_positives - ) - ) -tags: - - "Attack surface reduction" -attack_types: - - "BEC/Fraud" - - "Credential Phishing" -tactics_and_techniques: - - "Impersonation: Brand" -detection_methods: - - "Sender analysis" - - "Header analysis" -id: "3c9c25ed-69cc-5764-b6bc-7e2aecb8fdb8" -testing_pr: 2194 -testing_sha: 4878c84ade2d393c30e40ddff17c1a9ffb0ae8df