Skip to content
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 32 additions & 46 deletions detection-rules/phishing_blue_button_file_sharing.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,54 +5,41 @@ severity: "low"
source: |
type.inbound
and (
// no previous threads
// no previous threads, or no thread references at all
length(body.previous_threads) == 0
// or is a fake thread
or (
(length(headers.references) == 0 or headers.in_reply_to is null)
and (
subject.is_reply
or subject.is_forward
or length(body.previous_threads) > 0
)
)
or length(headers.references) == 0
or headers.in_reply_to is null
)
and any(filter(html.xpath(body.html, '//a[@href]').nodes,
// blue button background, background-color and observed colors
regex.icontains(.raw,
'(?:background(?:-color)?)\s*[:\s]\s*#(?:0078d4|3a78d1)'
)
),
(
// it's styled as a button
regex.icontains(.raw, 'padding')
)
and any(html.xpath(body.html,
// blue button background or background-color and observed colors, plus padding for button styling
'//a[@href][contains(translate(@style,"ABCDEFGHIJKLMNOPQRSTUVWXYZ","abcdefghijklmnopqrstuvwxyz"),"background") and (contains(translate(@style,"ABCDEFGHIJKLMNOPQRSTUVWXYZ","abcdefghijklmnopqrstuvwxyz"),"0078d4") or contains(translate(@style,"ABCDEFGHIJKLMNOPQRSTUVWXYZ","abcdefghijklmnopqrstuvwxyz"),"3a78d1")) and contains(translate(@style,"ABCDEFGHIJKLMNOPQRSTUVWXYZ","abcdefghijklmnopqrstuvwxyz"),"padding")]'
).nodes,
// ignore links going to microsoft
and not any(.links,
(
.href_url.domain.sld in (
"microsoft",
"azure",
"outlook.office365",
"office365"
)
)
or .href_url.domain.domain in $tenant_domains
or (
.href_url.domain.root_domain in (
"mimecast.com",
"mimecastprotect.com"
)
and any(.href_url.query_params_decoded['domain'],
strings.parse_domain(.).domain in (
"microsoft.com",
"azure.com",
"outlook.office365.com",
"office365.com"
)
or strings.parse_domain(.).domain in $tenant_domains
)
)
not any(.links,
(
.href_url.domain.sld in (
"microsoft",
"azure",
"outlook.office365",
"office365"
)
)
or .href_url.domain.domain in $tenant_domains
or (
.href_url.domain.root_domain in (
"mimecast.com",
"mimecastprotect.com"
)
and any(.href_url.query_params_decoded['domain'],
strings.parse_domain(.).domain in (
"microsoft.com",
"azure.com",
"outlook.office365.com",
"office365.com"
)
or strings.parse_domain(.).domain in $tenant_domains
)
)
)
)
and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
Expand All @@ -65,7 +52,6 @@ source: |
sender.email.domain.root_domain == "microsoft.com"
and headers.auth_summary.dmarc.pass
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down