diff --git a/detection-rules/service_abuse_godaddy_infra.yml b/detection-rules/service_abuse_godaddy_infra.yml index 34b5198b220..bcd0bf64aa5 100644 --- a/detection-rules/service_abuse_godaddy_infra.yml +++ b/detection-rules/service_abuse_godaddy_infra.yml @@ -11,49 +11,6 @@ source: | and headers.auth_summary.dmarc.pass ) and any(body.links, .display_text in~ ("Pay Now", "Accept Access")) - and ( - ( - any(ml.nlu_classifier(body.current_thread.text).intents, - .name in~ ("callback_scam", "cred_theft", "extortion") - and .confidence == "high" - ) - ) - // manual extortion indicators - or ( - regex.icontains(sender.display_name, - 'big(\s|[[:punct:]])?brother|seeing(\s|[[:punct:]])?eye' - ) - or regex.icontains(body.current_thread.text, - '((I|you).{0,25}(leak|compromise|hack|see|record|expose))|(dirty|little) secret' - ) - ) - // manual callback phishing indicators - or ( - // phone number in display name or subject - any([sender.display_name, subject.base], - regex.icontains(., - '\b\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}\b' - ) - ) - // references commonly impersonated brands in body - or strings.ilike(strings.replace_confusables(body.current_thread.text), - "*Pay?Pal*", - "*Best?Buy*", - "*Geek?Squad*", - ) - ) - // emojis in link display text - or any(body.links, - regex.contains(.display_text, - '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]' - ) - ) - // links leading to cloudflare R2 or edge services - or any(body.links, - .href_url.domain.root_domain in~ ("r2.dev", "pages.dev", "workers.dev") - ) - ) - attack_types: - "Callback Phishing" - "Extortion"