Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create link_issuu_unsolicited.yml #2192

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
+57 −0
Open

Create link_issuu_unsolicited.yml #2192

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f27b05d
Create link_issuu_unsolicited.yml
zoomequipd Dec 4, 2024
082eb9b
Auto add rule ID
Dec 4, 2024
1e39d90
Update link_issuu_unsolicited.yml
zoomequipd Dec 11, 2024
a7a8e4f
Merge branch 'main' into zoomequipd-patch-29
zoomequipd Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 57 additions & 0 deletions detection-rules/link_issuu_unsolicited.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
name: "Link: Issuu Link from Unsolicited Sender"
description: "This detection rule matches on messaging containing at least one link to issuu..com from an unsolicited sender. issuu.com provides a free plan enabling users to create custom flipbooks and file hosting. This services has been abused by threat actors to host landing pages directing victims to a next stage of credential phishing."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(filter(body.links,
// issuu link
.href_url.domain.root_domain == 'issuu.com'
and strings.icontains(.href_url.path, "/docs/")
),
(
.href_url.query_params is null
// reduce alerting on newsletters, flyers, etc
// by ensure there are not any marketing focused query param keys like utm_source
or regex.imatch(.href_url.query_params, '^fr=[^\&]+$')
)
)

// to further reduce noise from newsletters/flyers inspect the number of imbedded images
and strings.icount(body.html.raw, '<img') < 15

// not solicited or from malicious/spam user with no FPs
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)

// netgate common senders which have not been marked as malicious
and not (
profile.by_sender().prevalence in ("common", "rare")
and profile.by_sender().any_messages_malicious_or_spam == false
)

// not from high trust sender root domains
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free file host"
- "Free subdomain host"
detection_methods:
- "Content analysis"
- "URL analysis"
- "Sender analysis"
id: "3e38b7fe-9ec1-5738-bff4-387ff4f9c750"
Loading