sublime-rules
sublime-rules copied to clipboard
sublime-security
Sublime rules for email attack detection, prevention, and threat hunting.
# Description Detects messages from free email providers discussing healthcare appointments and containing phone numbers to reschedule or cancel, without any prior benign communication history. # Associated samples - https://platform.sublime.security/messages/hunt?huntId=0195d46d-2048-7708-aa13-1f62d7aea1c5
# Description address spoofed org_domain # Associated samples - [Sample 1](https://platform.sublime.security/messages/6dc094ec4bf0532c2c9a1a4625a0b5a6f70061f0dd75ddb5e97754359c621831?from_canonical_id=9c600ec955c192686a755f08be5970f5b12948b3099fbe7f5ca3c61590a17adc&preview_id=0196258b-834c-709e-9ba8-485d18f8546a)
# Description address spoofed org_domain # Associated samples - [Sample 1](https://platform.sublime.security/messages/6dc094ec4bf0532c2c9a1a4625a0b5a6f70061f0dd75ddb5e97754359c621831?from_canonical_id=9c600ec955c192686a755f08be5970f5b12948b3099fbe7f5ca3c61590a17adc&preview_id=0196258b-834c-709e-9ba8-485d18f8546a)
# Description address spoof of org_domain # Associated samples - [Sample 1](https://platform.sublime.security/messages/6dc094ec4bf0532c2c9a1a4625a0b5a6f70061f0dd75ddb5e97754359c621831?from_canonical_id=9c600ec955c192686a755f08be5970f5b12948b3099fbe7f5ca3c61590a17adc&preview_id=0196258b-834c-709e-9ba8-485d18f8546a)
# Description address spoofed org_domains # Associated samples - [Sample 1](https://platform.sublime.security/rules/editor?canonical_id=9c600ec955c192686a755f08be5970f5b12948b3099fbe7f5ca3c61590a17adc&message_id=019617a0-3f8d-77a6-a61e-9fff99cd29bf)
# Description Added additional message ID bailout logic. # Associated samples - https://platform.sublime.security/messages/b61cafef97854a13151e72303f637636fc2a9cf3da80eab7acd36743f6f667a1?preview_id=019616d3-69e4-7e76-bcfa-4f3e35db9842 - https://platform.sublime.security/messages/a9ee5f4f4495d1aa1286a7576259836a4c8aa10cad7b11e56b1841491dade19c?preview_id=01962587-7b37-7e44-8c50-5a823d24d053
# Description ASR rule for HelloSign messages from newly observed sender ## Associated hunts - [Hunt 1](https://platform.sublime.security/messages/hunt?huntId=0195fbdc-6dd3-7b50-8ee4-d4c01f0726ee)
# Description 1. Format 2. Add additional regex for additional methods of obfuscating `Docusign` 3. Add additional color to find the blue background 4. update regex for finding background color...
# Description ASR rule for SurveyMonkey from newly registered reply-to domain > [!WARNING] > This PR makes use of a beta feature which is subject to change without notice. Use...
# Description Replacing string list with regex (to add boundary characters), and updating link negation logic. # Associated samples - https://platform.sublime.security/messages/302a2100fee027b80e4cfa5d1e0f22258ca98e6cc90f92570fe63b3e7b942085?from_canonical_id=611d7dcfb879152f3a6503523e81d5fdca92757a140950bd05627a267df87aa9&preview_id=01961988-5c9e-78eb-bede-62dcbd5e0d98
Metadata
Owner
Metadata
Sublime rules for email attack detection, prevention, and threat hunting.