
Summary
This detection rule identifies mass email campaigns attempting Cross Site Scripting (XSS) exploits, particularly those utilizing known spam techniques. The rule checks incoming messages where the subject or body includes common XSS indicators such as "<script>", "eval(atob", or features like "onload" and "onerror". It further stipulates that the email is sent to over 10 recipients, which must include unknown senders, thereby excluding any emails sent to known organizational domains. Links within the body are scrutinized, rejecting messages with multiple links unless a single link points to a predetermined, unchanging domain. The sender's profile is evaluated to ensure the campaign does not originate from common senders and is unsolicited, indicating a potential phishing attempt. Moreover, if the sender's domain is recognized as a high trust domain, the rule includes checks for DMARC authentication failures, allowing flexibility in trusted sources unless they exhibit signs of compromise.
Categories
- Web
- Endpoint
Data Sources
- User Account
- Application Log
- Network Traffic
Created: 2024-03-27