sublime-rules

sublime-rules copied to clipboard

# Description Rule optimization: move sender profile check outside of the "any" and within a simple `and` # Associated samples N/A

zoomequipd

Create link_github_notification_abuse.yml

8

# Description Add coverage for observed campaign ## Associated hunts If you ran any hunts with your rule, please link them here. - [Hunt 1](https://platform.sublime.security/hunts/5f647bfe-db09-4e85-8947-156078dce2bc)

zoomequipd

Create link_zoho_forms_unsolicited.yml

1

# Description Add coverage for Zoho Forms abuse via unsolicited center # Associated samples - [Sample 1](https://platform.sublime.security/messages/2f84582156ab0175760363b8f116e760cc552642e7d318afb82d2d3b2b19220f) ## Associated hunts If you ran any hunts with your rule, please link...

zoomequipd

Create Impersonation_vip_fake_thread_not_recip.yml

1

# Description Add coverage for additional VIP Impersonation Fake Thread campaigns.

zoomequipd

Create docusign_new_sender_domain.yml

1

# Description DocuSign shares with new reply-to addresses have been seen in recent attacks. ## Associated hunts - https://platform.sublime.security/hunts/b279fbdf-f64b-43be-b341-89aa7b40b739

aidenmitchell

Update brand_impersonation_ms_planner.yml

1

Added the latest attack pattern. Changed: ``` and regex.icontains(.display_text, **"(go.?to|view|show|display|access|open.?in) (team|planner|group|task|browser)"** // and this one and ( **1** of ( strings.ilike(body.current_thread.text, "*assigned*new team*"), strings.ilike(body.current_thread.text, "*Microsoft Office 365*"), strings.ilike(body.current_thread.text, "*internal planner*"),...

padey

# Description Adding sender negation for `ipfs.com` # Associated samples - https://platform.sublime.security/messages/592e40efa773cbd47f1dfaa570b1e8baeead5e10fc5b308f394b6ff4cdb37292

aidenmitchell

# Description New rule created to look for braille pattern blank characters in attachment filenames recursively. # Associated samples Link to samples that are affected by your change. For example,...

vector-sec

# Description Negating the last name "Norton". # Associated samples - https://platform.sublime.security/messages/6cb7cc5311241564a355001a72fc8ed36702ba4efa88eee186a3f9eea785545e

aidenmitchell

# Description Negating updates and notifications sent through Pageproof # Associated samples - https://platform.sublime.security/messages/8df987663a1837c42bfd8f83e4e9f017d572eaf12aebd3606b8a40d9815d1300 - https://platform.sublime.security/messages/6c6a041b145a78b81ae15364d2eff9da687b7b05130e01fe4cee37240750b40d - https://platform.sublime.security/messages/cd5ce0e1d4b1edfed056518bd457e60bac4758b27dff43cfd4487a33ab8c03fd

peterdj45