From 8502d1c8f23c51a3b090b523963ba506164142e6 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Mon, 18 Nov 2024 11:54:06 -0800 Subject: [PATCH 1/8] Create impersonation_benefits_enrollment.yml --- .../impersonation_benefits_enrollment.yml | 102 ++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 detection-rules/impersonation_benefits_enrollment.yml diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml new file mode 100644 index 00000000000..23b5d213e04 --- /dev/null +++ b/detection-rules/impersonation_benefits_enrollment.yml @@ -0,0 +1,102 @@ +name: "Benefits Enrollment Impersonation" +description: "Detects unauthorized messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication." +type: "rule" +severity: "high" +source: | + type.inbound + and sender.email.domain.domain not in $org_domains + and length(body.current_thread.text) < 2500 + and 1 of ( + regex.icontains(subject.subject, + '(open|benefits?) enrol{1,2}ment', // catches both enrolment and enrollment + 'benefit(s)? (plan|choice|selection|deadline|period)', + 'hr benefits', + 'annual enrol{1,2}ment', + 'healthcare (choice|selection|opt.?in)', + '(fsa|hsa|401k) (enrol{1,2}ment|selection)', + 'dependent (coverage|verification)', + '(health|dental|vision|insurance|medical) enrol{1,2}ment' + ), + regex.icontains(body.current_thread.text, + '(open|benefits?) enrol{1,2}ment', + 'benefit(s)? (plan|choice|selection|deadline|period)', + 'hr benefits', + 'annual enrol{1,2}ment', + 'healthcare (choice|selection|opt.?in)', + '(fsa|hsa|401k) (enrol{1,2}ment|selection)', + 'dependent (coverage|verification)', + '(health|dental|vision|insurance|medical) enrol{1,2}ment', + '(urgent|immediate) action required.*(benefit|enrol{1,2}ment)', + 'coverage.*(expire|terminate)', + 'last (day|chance).*(enrol{1,2}|select)', + '(login|sign.?in).*(benefit portal|hr portal)', + '(verify|update|confirm).*(benefit.*selection)' + ) + ) + and 1 of ( + any(ml.nlu_classifier(body.current_thread.text).entities, + .name in ("urgency", "request") + ), + any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign"), + (length(body.current_thread.text) < 250 and length(attachments) == 1) + ) + + // negate replies + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) + + // Negate common marketing mailers + and not regex.icontains(sender.display_name, + 'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations' + ) + and not ( + any(headers.hops, + strings.icontains(.authentication_results.spf_details.designator, + "constantcontact.com" + ) + ) + or any(headers.hops, + strings.icontains(.received_spf.designator, "constantcontact.com") + ) + or ( + ( + any(headers.hops, + .index == 0 + and any(.authentication_results.dkim_details, + .domain == "auth.ccsend.com" + ) + ) + ) + and headers.auth_summary.dmarc.pass + ) + or any(headers.references, strings.iends_with(., "ccsend.com")) + ) + and ( + profile.by_sender().prevalence in ("new", "outlier") + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Impersonation: Employee" + - "Out of band pivot" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" From ff02b8944eb18531666edee93dc39b2bab2edfe9 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Mon, 18 Nov 2024 11:54:44 -0800 Subject: [PATCH 2/8] Update impersonation_benefits_enrollment.yml --- detection-rules/impersonation_benefits_enrollment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml index 23b5d213e04..96e4c841460 100644 --- a/detection-rules/impersonation_benefits_enrollment.yml +++ b/detection-rules/impersonation_benefits_enrollment.yml @@ -1,5 +1,5 @@ name: "Benefits Enrollment Impersonation" -description: "Detects unauthorized messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication." +description: "Detects messages about benefit enrollment periods and healthcare selections from external senders that contain urgent language or requests for action. Excludes legitimate HR communications, marketing mailers, and trusted sender domains with valid authentication." type: "rule" severity: "high" source: | From 50c11df1bc9000a7e886b5fbc0bf367ce0a1bd6c Mon Sep 17 00:00:00 2001 From: ID Generator Date: Mon, 18 Nov 2024 19:55:24 +0000 Subject: [PATCH 3/8] Auto add rule ID --- detection-rules/impersonation_benefits_enrollment.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml index 96e4c841460..3be370e9442 100644 --- a/detection-rules/impersonation_benefits_enrollment.yml +++ b/detection-rules/impersonation_benefits_enrollment.yml @@ -100,3 +100,4 @@ detection_methods: - "Content analysis" - "Header analysis" - "Sender analysis" +id: "5a6eb5a8-2d91-5ed8-a0d2-fb3cc2fef40b" From d2b2e55324bcec2a7cb688bfc53f3b8f99467f58 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Fri, 22 Nov 2024 08:54:22 -0800 Subject: [PATCH 4/8] Update impersonation_benefits_enrollment.yml --- .../impersonation_benefits_enrollment.yml | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml index 3be370e9442..f4665acfdff 100644 --- a/detection-rules/impersonation_benefits_enrollment.yml +++ b/detection-rules/impersonation_benefits_enrollment.yml @@ -6,7 +6,7 @@ source: | type.inbound and sender.email.domain.domain not in $org_domains and length(body.current_thread.text) < 2500 - and 1 of ( + and ( regex.icontains(subject.subject, '(open|benefits?) enrol{1,2}ment', // catches both enrolment and enrollment 'benefit(s)? (plan|choice|selection|deadline|period)', @@ -16,21 +16,21 @@ source: | '(fsa|hsa|401k) (enrol{1,2}ment|selection)', 'dependent (coverage|verification)', '(health|dental|vision|insurance|medical) enrol{1,2}ment' - ), - regex.icontains(body.current_thread.text, - '(open|benefits?) enrol{1,2}ment', - 'benefit(s)? (plan|choice|selection|deadline|period)', - 'hr benefits', - 'annual enrol{1,2}ment', - 'healthcare (choice|selection|opt.?in)', - '(fsa|hsa|401k) (enrol{1,2}ment|selection)', - 'dependent (coverage|verification)', - '(health|dental|vision|insurance|medical) enrol{1,2}ment', - '(urgent|immediate) action required.*(benefit|enrol{1,2}ment)', - 'coverage.*(expire|terminate)', - 'last (day|chance).*(enrol{1,2}|select)', - '(login|sign.?in).*(benefit portal|hr portal)', - '(verify|update|confirm).*(benefit.*selection)' + ) + or regex.icontains(body.current_thread.text, + '(open|benefits?) enrol{1,2}ment', + 'benefit(s)? (plan|choice|selection|deadline|period)', + 'hr benefits', + 'annual enrol{1,2}ment', + 'healthcare (choice|selection|opt.?in)', + '(fsa|hsa|401k) (enrol{1,2}ment|selection)', + 'dependent (coverage|verification)', + '(health|dental|vision|insurance|medical) enrol{1,2}ment', + '(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)', + 'coverage.{0,20}(expire|terminate)', + 'last (day|chance).{0,20}(enrol{1,2}|select)', + '(login|sign.?in).{0,20}(benefit portal|hr portal)', + '(verify|update|confirm).{0,20}(benefit.{0,20}selection)' ) ) and 1 of ( From 9b89fd8f37a5f6d4f87328efde446fd250a10930 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 5 Dec 2024 10:03:39 -0800 Subject: [PATCH 5/8] Update impersonation_benefits_enrollment.yml --- .../impersonation_benefits_enrollment.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml index f4665acfdff..8c995f0bfac 100644 --- a/detection-rules/impersonation_benefits_enrollment.yml +++ b/detection-rules/impersonation_benefits_enrollment.yml @@ -18,7 +18,6 @@ source: | '(health|dental|vision|insurance|medical) enrol{1,2}ment' ) or regex.icontains(body.current_thread.text, - '(open|benefits?) enrol{1,2}ment', 'benefit(s)? (plan|choice|selection|deadline|period)', 'hr benefits', 'annual enrol{1,2}ment', @@ -33,7 +32,7 @@ source: | '(verify|update|confirm).{0,20}(benefit.{0,20}selection)' ) ) - and 1 of ( + and 2 of ( any(ml.nlu_classifier(body.current_thread.text).entities, .name in ("urgency", "request") ), @@ -52,6 +51,7 @@ source: | 'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations' ) and not ( + // Constant Contact any(headers.hops, strings.icontains(.authentication_results.spf_details.designator, "constantcontact.com" @@ -72,6 +72,19 @@ source: | and headers.auth_summary.dmarc.pass ) or any(headers.references, strings.iends_with(., "ccsend.com")) + // Hubspot + or any(headers.hops, + strings.icontains(.authentication_results.spf_details.designator, + "hubspotemail.net" + ) + ) + ) + and sender.email.domain.root_domain not in~ ( + 'medicare.gov', + 'farmers.com', + 'uhc.com', + 'blueshieldca.com', + 'corestream.com' ) and ( profile.by_sender().prevalence in ("new", "outlier") From 95f87c2a1d8fa61b7d5d0a899e294687bced8677 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Tue, 10 Dec 2024 09:41:55 -0800 Subject: [PATCH 6/8] Update impersonation_benefits_enrollment.yml --- detection-rules/impersonation_benefits_enrollment.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml index 8c995f0bfac..8e740239078 100644 --- a/detection-rules/impersonation_benefits_enrollment.yml +++ b/detection-rules/impersonation_benefits_enrollment.yml @@ -5,7 +5,10 @@ severity: "high" source: | type.inbound and sender.email.domain.domain not in $org_domains - and length(body.current_thread.text) < 2500 + and ( + length(body.current_thread.text) < 2500 + or body.current_thread.text is null + ) and ( regex.icontains(subject.subject, '(open|benefits?) enrol{1,2}ment', // catches both enrolment and enrollment From c92102159021bc96b72e2e94f498aec783faadc6 Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Tue, 10 Dec 2024 09:56:49 -0800 Subject: [PATCH 7/8] Update impersonation_benefits_enrollment.yml (#2203) Co-authored-by: Aiden Mitchell --- .../impersonation_benefits_enrollment.yml | 154 +++++++++++------- 1 file changed, 93 insertions(+), 61 deletions(-) diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml index 8e740239078..af1bb0a891c 100644 --- a/detection-rules/impersonation_benefits_enrollment.yml +++ b/detection-rules/impersonation_benefits_enrollment.yml @@ -6,7 +6,7 @@ source: | type.inbound and sender.email.domain.domain not in $org_domains and ( - length(body.current_thread.text) < 2500 + length(body.current_thread.text) < 2500 or body.current_thread.text is null ) and ( @@ -34,77 +34,109 @@ source: | '(login|sign.?in).{0,20}(benefit portal|hr portal)', '(verify|update|confirm).{0,20}(benefit.{0,20}selection)' ) + or any(attachments, regex.icontains(.file_name, + 'fileDoc-Review', + '(open|benefits?) enrol{1,2}ment', + 'annual enrol{1,2}ment', + '(fsa|hsa|401k) (enrol{1,2}ment|selection)', + '(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)', + ) + ) ) and 2 of ( any(ml.nlu_classifier(body.current_thread.text).entities, .name in ("urgency", "request") ), - any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign"), - (length(body.current_thread.text) < 250 and length(attachments) == 1) - ) - - // negate replies - and ( - length(headers.references) == 0 - or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) - ) - - // Negate common marketing mailers - and not regex.icontains(sender.display_name, - 'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations' + any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign"), + ( + (length(body.current_thread.text) < 250 and length(attachments) == 1) + or (body.current_thread.text is null and length(attachments) == 1) + ), + // lure in attachment + ( + any(attachments, + ( + .file_type in $file_types_images + or .file_type in ("pdf", "docx", "doc") + or .file_extension in $file_extensions_macros + ) + and any(filter(file.explode(.), .scan.ocr.raw is not null), + ( + any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name != "benign" + ) + or any(ml.nlu_classifier(.scan.ocr.raw).entities, + .name in ("urgency", "request") + ) + ) + ) + ) + ) ) - and not ( - // Constant Contact - any(headers.hops, - strings.icontains(.authentication_results.spf_details.designator, - "constantcontact.com" + // negate replies + and ( + length(headers.references) == 0 + or not any(headers.hops, + any(.fields, strings.ilike(.name, "In-Reply-To")) ) - ) - or any(headers.hops, - strings.icontains(.received_spf.designator, "constantcontact.com") - ) - or ( - ( + ) + + // Negate common marketing mailers + and not regex.icontains(sender.display_name, + 'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations' + ) + and not ( + // Constant Contact any(headers.hops, - .index == 0 - and any(.authentication_results.dkim_details, - .domain == "auth.ccsend.com" + strings.icontains(.authentication_results.spf_details.designator, + "constantcontact.com" ) ) + or any(headers.hops, + strings.icontains(.received_spf.designator, "constantcontact.com") + ) + or ( + ( + any(headers.hops, + .index == 0 + and any(.authentication_results.dkim_details, + .domain == "auth.ccsend.com" + ) + ) + ) + and headers.auth_summary.dmarc.pass + ) + or any(headers.references, strings.iends_with(., "ccsend.com")) + // Hubspot + or any(headers.hops, + strings.icontains(.authentication_results.spf_details.designator, + "hubspotemail.net" + ) + ) ) - and headers.auth_summary.dmarc.pass - ) - or any(headers.references, strings.iends_with(., "ccsend.com")) - // Hubspot - or any(headers.hops, - strings.icontains(.authentication_results.spf_details.designator, - "hubspotemail.net" - ) - ) - ) - and sender.email.domain.root_domain not in~ ( - 'medicare.gov', - 'farmers.com', - 'uhc.com', - 'blueshieldca.com', - 'corestream.com' - ) - and ( - profile.by_sender().prevalence in ("new", "outlier") - or ( - profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_false_positives - ) - ) - // negate highly trusted sender domains unless they fail DMARC authentication - and ( - ( - sender.email.domain.root_domain in $high_trust_sender_root_domains - and not headers.auth_summary.dmarc.pass - ) - or sender.email.domain.root_domain not in $high_trust_sender_root_domains - ) - + and sender.email.domain.root_domain not in~ ( + 'medicare.gov', + 'farmers.com', + 'uhc.com', + 'blueshieldca.com', + 'corestream.com' + ) + and ( + profile.by_sender().prevalence in ("new", "outlier") + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + attack_types: - "Credential Phishing" tactics_and_techniques: From df9c68a84d84ea051f05d489f42d3d3d7692eb25 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Tue, 10 Dec 2024 09:58:19 -0800 Subject: [PATCH 8/8] Update impersonation_benefits_enrollment.yml --- .../impersonation_benefits_enrollment.yml | 140 +++++++++--------- 1 file changed, 69 insertions(+), 71 deletions(-) diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml index af1bb0a891c..5d1cc05eea8 100644 --- a/detection-rules/impersonation_benefits_enrollment.yml +++ b/detection-rules/impersonation_benefits_enrollment.yml @@ -6,8 +6,7 @@ source: | type.inbound and sender.email.domain.domain not in $org_domains and ( - length(body.current_thread.text) < 2500 - or body.current_thread.text is null + length(body.current_thread.text) < 2500 or body.current_thread.text is null ) and ( regex.icontains(subject.subject, @@ -34,20 +33,21 @@ source: | '(login|sign.?in).{0,20}(benefit portal|hr portal)', '(verify|update|confirm).{0,20}(benefit.{0,20}selection)' ) - or any(attachments, regex.icontains(.file_name, - 'fileDoc-Review', - '(open|benefits?) enrol{1,2}ment', - 'annual enrol{1,2}ment', - '(fsa|hsa|401k) (enrol{1,2}ment|selection)', - '(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)', - ) - ) + or any(attachments, + regex.icontains(.file_name, + 'fileDoc-Review', + '(open|benefits?) enrol{1,2}ment', + 'annual enrol{1,2}ment', + '(fsa|hsa|401k) (enrol{1,2}ment|selection)', + '(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)', + ) + ) ) and 2 of ( any(ml.nlu_classifier(body.current_thread.text).entities, .name in ("urgency", "request") ), - any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign"), + any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign"), ( (length(body.current_thread.text) < 250 and length(attachments) == 1) or (body.current_thread.text is null and length(attachments) == 1) @@ -66,76 +66,74 @@ source: | .name != "benign" ) or any(ml.nlu_classifier(.scan.ocr.raw).entities, - .name in ("urgency", "request") + .name in ("urgency", "request") ) ) - ) ) ) + ) + ) + // negate replies + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) ) - // negate replies - and ( - length(headers.references) == 0 - or not any(headers.hops, - any(.fields, strings.ilike(.name, "In-Reply-To")) - ) - ) - // Negate common marketing mailers - and not regex.icontains(sender.display_name, - 'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations' - ) - and not ( - // Constant Contact - any(headers.hops, - strings.icontains(.authentication_results.spf_details.designator, - "constantcontact.com" - ) - ) - or any(headers.hops, - strings.icontains(.received_spf.designator, "constantcontact.com") + // Negate common marketing mailers + and not regex.icontains(sender.display_name, + 'HR (?:Events|Expert|Support Center|Studies|Knowledge Cloud|News Library|Crowd|Solutions|Interests)|HR and People Operations' + ) + and not ( + // Constant Contact + any(headers.hops, + strings.icontains(.authentication_results.spf_details.designator, + "constantcontact.com" ) - or ( - ( - any(headers.hops, - .index == 0 - and any(.authentication_results.dkim_details, - .domain == "auth.ccsend.com" - ) + ) + or any(headers.hops, + strings.icontains(.received_spf.designator, "constantcontact.com") + ) + or ( + ( + any(headers.hops, + .index == 0 + and any(.authentication_results.dkim_details, + .domain == "auth.ccsend.com" ) - ) - and headers.auth_summary.dmarc.pass - ) - or any(headers.references, strings.iends_with(., "ccsend.com")) - // Hubspot - or any(headers.hops, - strings.icontains(.authentication_results.spf_details.designator, - "hubspotemail.net" - ) - ) - ) - and sender.email.domain.root_domain not in~ ( - 'medicare.gov', - 'farmers.com', - 'uhc.com', - 'blueshieldca.com', - 'corestream.com' - ) - and ( - profile.by_sender().prevalence in ("new", "outlier") - or ( - profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_false_positives - ) - ) - // negate highly trusted sender domains unless they fail DMARC authentication - and ( - ( - sender.email.domain.root_domain in $high_trust_sender_root_domains - and not headers.auth_summary.dmarc.pass ) - or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) + and headers.auth_summary.dmarc.pass + ) + or any(headers.references, strings.iends_with(., "ccsend.com")) + // Hubspot + or any(headers.hops, + strings.icontains(.authentication_results.spf_details.designator, + "hubspotemail.net" + ) + ) + ) + and sender.email.domain.root_domain not in~ ( + 'medicare.gov', + 'farmers.com', + 'uhc.com', + 'blueshieldca.com', + 'corestream.com' + ) + and ( + profile.by_sender().prevalence in ("new", "outlier") + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) attack_types: - "Credential Phishing"