Create credential_phishing_nifty.com_domain_abuse.yml (#3371)

Co-authored-by: ID Generator <hello@sublimesecurity.com>
Co-authored-by: Alex Herold <alex.herold@sublimesecurity.com>
Co-authored-by: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>

Author: 4 people

detection-rules/credential_phishing_nifty.com_domain_abuse.yml

@@ -0,0 +1,25 @@
+name: "Service Abuse: Nifty.com with impersonation"
+description: "Detects emails from nifty.com where the sender's local part matches a recipient's local part or organizational SLD, which has been observed in credential harvesting campaigns"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and sender.email.domain.root_domain == "nifty.com"
+  and (
+    sender.email.local_part in map(recipients.to, .email.local_part)
+    or sender.email.local_part in $org_slds
+  )
+  
+  and ml.nlu_classifier(body.current_thread.text).language != "japanese"
+  
+  // and no false positives and not solicited
+  and not profile.by_sender_email().any_messages_benign
+  and not profile.by_sender_email().solicited
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Spoofing"
+detection_methods:
+  - "Sender analysis"
+id: "370cfdac-4976-59a1-ae1f-7cd5594eb958"