Sync from PR#2168

Create brand_impersonation_bbb.yml by @morriscode #2168 Source SHA 9f24265 Triggered by @morriscode
sublime-security · Dec 24, 2024 · eea4712 · eea4712
1 parent aa249b4
commit eea4712
Showing 1 changed file with 3 additions and 32 deletions.
diff --git a/detection-rules/brand_impersonation_bbb.yml b/detection-rules/brand_impersonation_bbb.yml
@@ -1,37 +1,8 @@
 name: "Brand impersonation: the Better Business Bureau (BBB)"
-description: "Detect impersonation of the Better Business Bureau (BBB)"
+description: "Detect impersonation of the Better Business Bureau (BBB) from unsolicited sender"
 type: "rule"
 severity: "medium"
-source: |
-  type.inbound
-  and (
-    // display name contains bbb
-    (
-      regex.icontains(strings.replace_confusables(sender.display_name),
-                      '(?:\bBBB\b|better business bureau)'
-      )
-      // or levenshtein distance similar to the full name
-      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
-                              'better business bureau'
-      ) <= 1
-    )
-    // and the sender is not in org_domains or from the bbb and passes auth
-    and not (
-      sender.email.domain.root_domain in ("bbb.org")
-      and headers.auth_summary.dmarc.pass
-    )
-  )
-  // and the sender is not from high trust sender root domains
-  and (
-    (
-      sender.email.domain.root_domain in $high_trust_sender_root_domains
-      and not headers.auth_summary.dmarc.pass
-    )
-    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
-  )
-
-  // not solicited
-  and not profile.by_sender().solicited
+source: "type.inbound\nand \n// display name contains bbb\n(\n  regex.icontains(strings.replace_confusables(sender.display_name),\n                  '(?:\\bBBB\\b|better business bureau)'\n  )\n  // or levenshtein distance similar to the full name\n  or strings.ilevenshtein(strings.replace_confusables(sender.display_name),\n                          'better business bureau'\n  ) <= 1\n)\n// and the sender is not in org_domains or from the bbb and passes auth\nand not (\n  sender.email.domain.root_domain in (\"bbb.org\", \"mybbb.org\")\n  and headers.auth_summary.dmarc.pass\n)\n\n// and the sender is not from high trust sender root domains\nand (\n  (\n    sender.email.domain.root_domain in $high_trust_sender_root_domains\n    and not headers.auth_summary.dmarc.pass\n  )\n  or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n\n// not solicited\nand not profile.by_sender().solicited\n"
 attack_types:
   - "Credential Phishing"
   - "BEC/Fraud"
@@ -42,4 +13,4 @@ detection_methods:
   - "Sender analysis"
 id: "76f54e5f-c937-5693-b8e7-3ced7dac61f9"
 testing_pr: 2168
-testing_sha: ea91adda6c0e70d4251865c95de26a1de959ded5
+testing_sha: 9f2426508245fc53de1d2ef58a28f8ec3904eb69