Create link_microsoft_word_generated_content_with_likely_credential_theft_language.yml

Author: hadojae

detection-rules/link_microsoft_word_generated_content_with_likely_credential_theft_language.yml

@@ -0,0 +1,30 @@
+name: "Link: Microsoft Word generated content with credential theft language"
+description: "Detects messages containing links and credential theft language where the HTML content was generated by Microsoft Word, targeting a single recipient from an unsolicited sender."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and 0 < length(body.links) < 30
+  and not profile.by_sender().solicited
+  and length(recipients.to) == 1
+  and recipients.to[0].email.domain.valid
+  and strings.icontains(body.html.raw,
+                      // page generated by microsoft word
+                      '<meta name="Generator" content="Microsoft Word'
+  )
+  // display text classified as cred theft
+  and any(ml.nlu_classifier(body.html.display_text).intents,
+          .name == "cred_theft" and .confidence in ("high")
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "Content analysis"
+  - "HTML analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+  - "URL analysis"