sublime-rules icon indicating copy to clipboard operation
sublime-rules copied to clipboard

Published 20 hours ago verified publisher icon sublime-security

Update brand_impersonation_ms_planner.yml

Open padey opened this issue 1 year ago • 1 comments

Added the latest attack pattern.

Changed:

and regex.icontains(.display_text,
                            **"(go.?to|view|show|display|access|open.?in) (team|planner|group|task|browser)"**

// and this one

 and (
  **1** of (
    strings.ilike(body.current_thread.text, "*assigned*new team*"),
    strings.ilike(body.current_thread.text, "*Microsoft Office 365*"),
    strings.ilike(body.current_thread.text, "*internal planner*"),
    **strings.ilike(body.current_thread.text, "*internal task*")**
  )

Description

Missed the latest spear phishings.

padey avatar Sep 20 '24 12:09 padey

Thank you! Just running a hunt now to confirm that this is safe to ship; will merge if that looks good.

aidenmitchell avatar Sep 20 '24 15:09 aidenmitchell