diff --git a/detection-rules/attachment_qr_code_suspicious_components.yml b/detection-rules/attachment_qr_code_suspicious_components.yml index 9766cee4ded..cc541a2f440 100644 --- a/detection-rules/attachment_qr_code_suspicious_components.yml +++ b/detection-rules/attachment_qr_code_suspicious_components.yml @@ -72,6 +72,7 @@ source: | // or the QR code's root domain is a url_shortener .scan.qr.url.domain.root_domain in $url_shorteners + or .scan.qr.url.domain.root_domain in $social_landing_hosts and ( not ( any(ml.nlu_classifier(body.current_thread.text).intents, diff --git a/detection-rules/attachment_rtf_file_with_suspicious_link.yml b/detection-rules/attachment_rtf_file_with_suspicious_link.yml index 0fd5231017c..7360af1444e 100644 --- a/detection-rules/attachment_rtf_file_with_suspicious_link.yml +++ b/detection-rules/attachment_rtf_file_with_suspicious_link.yml @@ -28,6 +28,7 @@ source: | or .domain.root_domain in $free_file_hosts or .domain.root_domain in $free_subdomain_hosts or .domain.root_domain in $url_shorteners + or .domain.root_domain in $social_landing_hosts ) // or the url contains the recipient email and the root_domain is not in tranco or ( diff --git a/detection-rules/brand_impersonation_ms_planner.yml b/detection-rules/brand_impersonation_ms_planner.yml index 7713e0ed945..76092b94a62 100644 --- a/detection-rules/brand_impersonation_ms_planner.yml +++ b/detection-rules/brand_impersonation_ms_planner.yml @@ -12,6 +12,8 @@ source: | or .href_url.domain.root_domain in $free_file_hosts or .href_url.domain.root_domain in $free_subdomain_hosts or .href_url.domain.domain in $url_shorteners + or .href_url.domain.domain in $social_landing_hosts + or .href_url.domain.root_domain in $social_landing_hosts or // mass mailer link, masks the actual URL diff --git a/detection-rules/credential_phishing_corporate_services_impersonation_with_suspicious_link.yml b/detection-rules/credential_phishing_corporate_services_impersonation_with_suspicious_link.yml index 1221dfcf214..c494c0e27be 100644 --- a/detection-rules/credential_phishing_corporate_services_impersonation_with_suspicious_link.yml +++ b/detection-rules/credential_phishing_corporate_services_impersonation_with_suspicious_link.yml @@ -77,6 +77,7 @@ source: | or .href_url.domain.root_domain in $free_file_hosts or .href_url.domain.root_domain in $free_subdomain_hosts or .href_url.domain.domain in $url_shorteners + or .href_url.domain.domain in $social_landing_hosts ) or // or mass mailer link, masks the actual URL diff --git a/detection-rules/govdelivery_compromise.yml b/detection-rules/govdelivery_compromise.yml index c7a7bb1fa89..9b16f0a197f 100644 --- a/detection-rules/govdelivery_compromise.yml +++ b/detection-rules/govdelivery_compromise.yml @@ -24,7 +24,9 @@ source: | ), // this is inside the filtered results to avoid flagging this condition on known link domains, as listed above strings.parse_url(.named_groups["url"]).domain.domain in $url_shorteners + or strings.parse_url(.named_groups["url"]).domain.domain in $social_landing_hosts or strings.parse_url(.named_groups["url"]).domain.root_domain in $url_shorteners + or strings.parse_url(.named_groups["url"]).domain.root_domain in $social_landing_hosts or strings.parse_url(.named_groups["url"]).domain.domain in $free_subdomain_hosts or strings.parse_url(.named_groups["url"]).domain.root_domain in $free_subdomain_hosts or network.whois(strings.parse_url(.named_groups["url"]).domain).days_old < 30 diff --git a/detection-rules/link_autodownloaded_html_smuggling.yml b/detection-rules/link_autodownloaded_html_smuggling.yml index 11d65a959a6..b0a06d4b4d1 100644 --- a/detection-rules/link_autodownloaded_html_smuggling.yml +++ b/detection-rules/link_autodownloaded_html_smuggling.yml @@ -11,6 +11,7 @@ source: | or .href_url.domain.root_domain in $free_file_hosts or .href_url.domain.root_domain in $free_subdomain_hosts or .href_url.domain.domain in $url_shorteners + or .href_url.domain.domain in $social_landing_hosts or // mass mailer link, masks the actual URL diff --git a/detection-rules/link_coinbase_low_rep_or_shortened.yml b/detection-rules/link_coinbase_low_rep_or_shortened.yml index 8e9e4ebb002..35869008fd4 100644 --- a/detection-rules/link_coinbase_low_rep_or_shortened.yml +++ b/detection-rules/link_coinbase_low_rep_or_shortened.yml @@ -16,6 +16,7 @@ source: | // low rep or url shortened links found and any(body.links, .href_url.domain.domain in $url_shorteners + or .href_url.domain.domain in $social_landing_hosts // exempting legitimate Google Maps shortener and ( @@ -26,6 +27,7 @@ source: | or .href_url.domain.root_domain in $free_file_hosts or .href_url.domain.root_domain in $free_subdomain_hosts or .href_url.domain.domain in $url_shorteners + or .href_url.domain.domain in $social_landing_hosts or // mass mailer link, masks the actual URL diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml index 1be6230b9a5..9fe50ed2feb 100644 --- a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml +++ b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml @@ -392,7 +392,9 @@ source: | ) and ( .href_url.domain.domain in $url_shorteners + or .href_url.domain.domain in $social_landing_hosts or .href_url.domain.root_domain in $url_shorteners + or .href_url.domain.root_domain in $social_landing_hosts or .href_url.domain.domain in $free_file_hosts or ( .href_url.domain.root_domain in ( @@ -404,6 +406,8 @@ source: | or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $url_shorteners or strings.parse_url(strings.concat("https://", .)).domain.domain in $free_file_hosts or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $free_subdomain_hosts + or strings.parse_url(strings.concat("https://", .)).domain.domain in $social_landing_hosts + or strings.parse_url(strings.concat("https://", .)).domain.root_domain in $social_landing_hosts ) ) ) diff --git a/detection-rules/link_google_presentation_open_redirect.yml b/detection-rules/link_google_presentation_open_redirect.yml index 08e34a9e400..a5eb84efea0 100644 --- a/detection-rules/link_google_presentation_open_redirect.yml +++ b/detection-rules/link_google_presentation_open_redirect.yml @@ -55,6 +55,7 @@ source: | or .href_url.domain.root_domain in $free_subdomain_hosts // or it's a url shortner or .href_url.domain.root_domain in $url_shorteners + or .href_url.domain.root_domain in $social_landing_hosts ) // which have been "unrolled" by the google_open_redirect rule and any(.href_url.rewrite.encoders, diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml index 3dee66700e7..0c52f53ab2a 100644 --- a/detection-rules/link_microsoft_low_reputation.yml +++ b/detection-rules/link_microsoft_low_reputation.yml @@ -13,6 +13,7 @@ source: | or .href_url.domain.root_domain in $free_file_hosts or .href_url.domain.root_domain in $free_subdomain_hosts or .href_url.domain.domain in $url_shorteners + or .href_url.domain.domain in $social_landing_hosts or // mass mailer link, masks the actual URL diff --git a/detection-rules/link_multistage_adobe_express.yml b/detection-rules/link_multistage_adobe_express.yml index 3578e588fdc..de9405ab30f 100644 --- a/detection-rules/link_multistage_adobe_express.yml +++ b/detection-rules/link_multistage_adobe_express.yml @@ -49,7 +49,9 @@ source: | ) // go to url shortners or .href_url.domain.root_domain in $url_shorteners + or .href_url.domain.root_domain in $social_landing_hosts or .href_url.domain.domain in $url_shorteners + or .href_url.domain.domain in $social_landing_hosts or ( // find any links that mention common "action" words regex.icontains(.display_text, diff --git a/detection-rules/link_multistage_docusign.yml b/detection-rules/link_multistage_docusign.yml index c3aef5ce5cd..4f6c57df997 100644 --- a/detection-rules/link_multistage_docusign.yml +++ b/detection-rules/link_multistage_docusign.yml @@ -57,7 +57,9 @@ source: | ) // go to url shortners or .href_url.domain.root_domain in $url_shorteners + or .href_url.domain.root_domain in $social_landing_hosts or .href_url.domain.domain in $url_shorteners + or .href_url.domain.domain in $social_landing_hosts or ( // find any links that mention common "action" words regex.icontains(.display_text, diff --git a/detection-rules/link_multistage_frame_io.yml b/detection-rules/link_multistage_frame_io.yml index 3373643d13c..5cf4de84779 100644 --- a/detection-rules/link_multistage_frame_io.yml +++ b/detection-rules/link_multistage_frame_io.yml @@ -116,7 +116,9 @@ source: | ) // go to url shortners or .href_url.domain.root_domain in $url_shorteners + or .href_url.domain.root_domain in $social_landing_hosts or .href_url.domain.domain in $url_shorteners + or .href_url.domain.domain in $social_landing_hosts or ( // find any links that mention common "action" words regex.icontains(subject.subject, diff --git a/detection-rules/link_multistage_google_drive.yml b/detection-rules/link_multistage_google_drive.yml index 364a8f0b903..c2f47480f72 100644 --- a/detection-rules/link_multistage_google_drive.yml +++ b/detection-rules/link_multistage_google_drive.yml @@ -103,7 +103,9 @@ source: | or strings.parse_url(.).domain.domain in $free_file_hosts or strings.parse_url(.).domain.root_domain in $free_file_hosts or strings.parse_url(.).domain.domain in $url_shorteners + or strings.parse_url(.).domain.domain in $social_landing_hosts or strings.parse_url(.).domain.root_domain in $url_shorteners + or strings.parse_url(.).domain.root_domain in $social_landing_hosts ) ) ) @@ -131,7 +133,9 @@ source: | ) // go to url shortners or .href_url.domain.root_domain in $url_shorteners + or .href_url.domain.root_domain in $social_landing_hosts or .href_url.domain.domain in $url_shorteners + or .href_url.domain.domain in $social_landing_hosts or ( // find any links that mention common "action" words regex.icontains(.display_text, diff --git a/detection-rules/link_published_google_doc.yml b/detection-rules/link_published_google_doc.yml index 3e6fc4a512f..29721e48702 100644 --- a/detection-rules/link_published_google_doc.yml +++ b/detection-rules/link_published_google_doc.yml @@ -47,7 +47,9 @@ source: | ) // go to url shortners or .href_url.domain.root_domain in $url_shorteners + or .href_url.domain.root_domain in $social_landing_hosts or .href_url.domain.domain in $url_shorteners + or .href_url.domain.domain in $social_landing_hosts // go to suspicious TLDs or .href_url.domain.tld in $suspicious_tlds @@ -65,7 +67,9 @@ source: | and .href_url.domain.subdomain != "www" ) or .href_url.domain.root_domain in $url_shorteners + or .href_url.domain.root_domain in $social_landing_hosts or .href_url.domain.domain in $url_shorteners + or .href_url.domain.domain in $social_landing_hosts // go to suspicious TLDs or .href_url.domain.tld in $suspicious_tlds diff --git a/detection-rules/link_quickbooks_image_lure_suspicious_link.yml b/detection-rules/link_quickbooks_image_lure_suspicious_link.yml index e1861a7f51b..b5f24357534 100644 --- a/detection-rules/link_quickbooks_image_lure_suspicious_link.yml +++ b/detection-rules/link_quickbooks_image_lure_suspicious_link.yml @@ -35,6 +35,7 @@ source: | or .href_url.domain.root_domain in $free_file_hosts or .href_url.domain.root_domain in $free_subdomain_hosts or .href_url.domain.domain in $url_shorteners + or .href_url.domain.domain in $social_landing_hosts or // mass mailer link, masks the actual URL diff --git a/detection-rules/spam_url_shortener_emojis.yml b/detection-rules/spam_url_shortener_emojis.yml index 121f88ea7d0..d593d3fdec5 100644 --- a/detection-rules/spam_url_shortener_emojis.yml +++ b/detection-rules/spam_url_shortener_emojis.yml @@ -10,7 +10,7 @@ source: | and sender.email.domain.root_domain in $free_email_providers // has a URL shortener - and any(body.links, .href_url.domain.root_domain in $url_shorteners) + and any(body.links, .href_url.domain.root_domain in $url_shorteners or .href_url.domain.root_domain in $social_landing_hosts) // short body, basically just the URL and length(body.plain.raw) < 100 diff --git a/detection-rules/spoofable_internal_domain_suspicious_signals.yml b/detection-rules/spoofable_internal_domain_suspicious_signals.yml index 7483f86a98e..e2a613eb50f 100644 --- a/detection-rules/spoofable_internal_domain_suspicious_signals.yml +++ b/detection-rules/spoofable_internal_domain_suspicious_signals.yml @@ -37,6 +37,7 @@ source: | or .href_url.domain.root_domain in $free_file_hosts or .href_url.domain.root_domain in $free_subdomain_hosts or .href_url.domain.domain in $url_shorteners + or .href_url.domain.domain in $social_landing_hosts ) ) ),