Create rule: Generic Financial Document Template

[missingn0pe]

Description

Detects messages with generic 'dear sir/madam' greetings that reference payment releases & timelines, contain links with suspicious hosting or open redirects, and exhibit unusual recipient patterns such as self-sending or missing recipients.

Associated samples

- Sample 1

Associated hunts

- Hunt 1 (Shared Samples)
- Hunt 2 (Multi-hunt)

[missingn0pe]

Telemetry looks good. Low volume TTP but viable. 4 net new samps over L90D, good detection in depth.

One observable - There is similar style rule that matches after a few changes, but only hits 2 of the 91 samps flagged in this PR over L90D, this PR does not lean on profiles, and is a very specific pattern.

- Hunt 1 L90D (Shared Samps)
- Hunt 2 L30D (Multi-hunt)

[IndiaAce]

Hey dude, the telemetry on this rule is crazy good in Mode! batting 1000 for malicious in the last 14 days. A few things I want to point out: I see in the latest batch of rules that almost all of them match existing rules, I'm super down for detection in-depth, especially when we are resolving FNs, but I wanted to see if you had considered modifying the existing Business Email Compromise (BEC) attempt from untrusted sender rule to account for this? Been looking through the hunts and I see that a good amount of these similar emails matching the BEC rule so just wanted to toss it out.

Also, I've been working on a suite of rules for that excessive padding in the body of the email and made a PR to modify that rule and the existing generic document sharing rule to catch this sample as well, so we've got good detection-in-depth coming for this. #4556

[IndiaAce]

Gonna remove review-needed from this but feel free to shoot me a DM when you're ready for re-review for anything here!

[missingn0pe]

Hey dude, the telemetry on this rule is crazy good in Mode! batting 1000 for malicious in the last 14 days. A few things I want to point out: I see in the latest batch of rules that almost all of them match existing rules, I'm super down for detection in-depth, especially when we are resolving FNs, but I wanted to see if you had considered modifying the existing Business Email Compromise (BEC) attempt from untrusted sender rule to account for this? Been looking through the hunts and I see that a good amount of these similar emails matching the BEC rule so just wanted to toss it out.

Also, I've been working on a suite of rules for that excessive padding in the body of the email and made a PR to modify that rule and the existing generic document sharing rule to catch this sample as well, so we've got good detection-in-depth coming for this. #4556

Thanks! Given it's growing hit count, I found it a viable candidate for surfacing based on campaign template structure. I compared Business Email Compromise (BEC) attempt from untrusted sender rule against this sample, this sample does not fire nlu as BEC, it fires as cred_theft, which invalidated the rule as it is the primary condition of the rule.

[missingn0pe]

Updating logic & kicking to test rules.

Hunts:
- Hunt 1 (Multi) - New logic - L30D
- Hunt 2 (Multi) - New vs old logic - L30D
- Hunt 3 (Multi) - Old vs new logic - L30D
- Hunt 4 (Shared samps) - New logic - L90D
- Hunt 5 (Shared samps) - New vs old logic - L90D
- Hunt 6 (Shared samps) - Old vs new logic - L90D

[missingn0pe]

Quick update:

Adding nlu intent filter & simple character count to mitigate FP's & FN's introduced from removing greeting condition.

- Hunt 1 (Shared samps) - New logic - L90D
- Hunt 2 (Shared samps) - Old vs new - L90D
- Hunt 3 (Shared samps) - New vs old - L90D
- Hunt 4 (Multi) - New logic - L30D
- Hunt 5 (Multi) - New logic - Old vs new - L30D
- Hunt 6 (Multi) - New logic - New vs old - L30D