From fd041917bff8d7ef7b7fd00c973cf813078bc391 Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Tue, 14 Jan 2025 16:54:44 +0000 Subject: [PATCH] Sync from PR#2310 Update attachment_pdf_extortion_leveraging_breach_data.yml by @morriscode https://github.com/sublime-security/sublime-rules/pull/2310 Source SHA aedb24f0f031de4a17fa9308c489db85269b522f Triggered by @morriscode --- ...t_pdf_extortion_leveraging_breach_data.yml | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 detection-rules/attachment_pdf_extortion_leveraging_breach_data.yml diff --git a/detection-rules/attachment_pdf_extortion_leveraging_breach_data.yml b/detection-rules/attachment_pdf_extortion_leveraging_breach_data.yml new file mode 100644 index 00000000000..783b881abba --- /dev/null +++ b/detection-rules/attachment_pdf_extortion_leveraging_breach_data.yml @@ -0,0 +1,75 @@ +name: "Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender" +description: "Detects sextortion attempts leveraging breach data, including names, addresses, phone numbers and frequently using Google Maps/Bing Maps streetview images to bolster confidence and fear." +type: "rule" +severity: "high" +source: | + type.inbound + + // sender is a freemail domain + and sender.email.domain.root_domain in $free_email_providers + + // attachment filename is the same as the subject + and any(attachments, + ( + strings.ilevenshtein(strings.concat(subject.subject, + ".", + .file_extension + ), + .file_name + ) <= 1 + ) + or strings.contains(.file_name, subject.subject) + ) + + // body contains a US address, or the body is the subject + and ( + regex.icontains(body.current_thread.text, + '\d+\s[\w\s.]+(?:\n)?[\w\s]+\s[A-Z]{2}\s\d{5}(?:-\d{4})?(?:\n)?|\d+\s[\w\s.]+(?:Street|St|Avenue|Ave|Boulevard|Blvd|Road|Rd|Drive|Dr|Lane|Ln|Court|Ct|Way|Place|Pl|Terrace|Ter|Circle|Cir|Parkway|Pkwy|Trail|Trl|Highway|Hwy|Loop)\b\.?', + // a Canadian address + '\d+\s[\w\s.]+(?:\n)?[\w\s]+\s((?:Ontario|ON)|(?:Quebec|QC)|(?:Nova Scotia|NS)|(?:New Brunswick|NB)|(?:Manitoba|MB)|(?:British Columbia|BC)|(?:Prince Edward Island|PEI?)|(?:Saskatchewan|SK)|(?:Alberta|AB)|(?:Newfoundland and Labrador|NL)|(?:Yukon|YT)|(?:Northwest Territories|NT)|(?:Nunavut|NU))\s*[ABCEGHJ-NPRSTVXY]\d[ABCEGHJ-NPRSTV-Z][ -]?\d[ABCEGHJ-NPRSTV-Z]\d' + ) + or subject.subject == body.current_thread.text + ) + + // there's a PDF attachment with an image at a depth of one, measuring 148x148 and containing a QR code that is a BTC address + and any(attachments, + .file_type == "pdf" + and any(file.explode(.), + ( + (.depth == 1 and .flavors.mime == "image/jpeg") + and ( + .scan.exiftool.image_height == 148 + and .scan.exiftool.image_width == 148 + and regex.match(.scan.qr.data, + '(1[a-km-zA-HJ-NP-Z1-9]{25,34}|3[a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[qp-z0-9]{39,59})' + ) + ) + ) + or ( + any(.scan.strings.strings, + regex.icontains(., + 'Amount(?:\s*\w+){0,3}\s*:?\s*(?:USD\s*)?(?:\$\s?\d+|\d+\s?\$?)' + ) + ) + and any(.scan.strings.strings, + regex.icontains(., + '(\bBITCOIN\b|\bBTC\b|\bLTC\b|Wallet)' + ) + ) + ) + ) + ) +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Free email provider" + - "PDF" + - "Social engineering" + - "QR code" +detection_methods: + - "Content analysis" + - "File analysis" + - "QR code analysis" +id: "efb5a213-df55-5ddc-a300-ad3a6da8e74e" +testing_pr: 2310 +testing_sha: aedb24f0f031de4a17fa9308c489db85269b522f