sublime-rules

sublime-rules copied to clipboard

# Description Adding OCR for attached images. # Associated samples - https://platform.sublime.security/messages/4f92bb96521060491266f95904acf47eb8e2b6be64589590ff49dbdb247e028a?preview_id=0199e2ef-d40c-727b-a4d8-8043bf28a07e

aidenmitchell

# Description Adding root domain check fo`$self_service_creation_platform_domains`

aidenmitchell

…icious_link.yml # Description Adding additional department name for Human Resources (Operations Department) for the NLU entity check on Senders. [REDACTED] # Associated samples https://platform.sublime.security/messages/4fae7f0d78ecc225d2c8972c04cd86f4952d5ae50c06606dcad298f4e9e60979 https://platform.sublime.security/messages/4faeab5a3377ba72e99c098df090f4dbc5957444f0198a6fd56abfe5187bb5e2 ## Associated hunts Note: This...

alexo-nano

# Description From a runner - I mostly just wanted to cast a net here with an initial rule to get samples! # Associated samples - [Sample 1](https://platform.sublime.security/messages/4f9b8241b46ed842090e8091940973eeeaded3f134c1a90890dabff30dd4a535?from_canonical_id=4fa212a9cd26efd33234711259ddc4d5926b225b9833620f8e333d4348c78500&preview_id=019a2613-1772-7117-86cb-44e9ca21dc92) ## Associated...

IndiaAce

# Description adding additional impersonation keywords to message body check # Associated samples - https://platform.sublime.security/messages/4faca2d51213bb10a0380cefaf059c6bce971d168cbcb9380e8f0a734b62627f

peterdj45

# Description adding additional regex keywords to account for microsoft teams impersonation also adding logic to override sender profile and explicit domain negations if the sender domain is not valid...

peterdj45

# Description Detects messages impersonating Carta, a cap table management platform, by analyzing sender display names, subject lines containing equity-related terms, and body content for Carta-specific language. Excludes legitimate Carta...

peterdj45

# Description From a runner. There's an opportunity here to create some detection-in-depth by creating a rule for emails with an attached zip that contain language suggesting "the password for...

IndiaAce

# Description Add new coverage for observed use of Greenvople evite branding to distribute malware/credphish. ## Associated hunts - [Hunt 1](https://platform.sublime.security/messages/hunt?huntId=019a5ad8-7bd6-780a-b44c-a3fd65af896c)

zoomequipd

Update attachment_encrypted_pdf_cred_theft.yml

1

# Description Reduce FPs on messages where the attached PDF is not actually encrypted. When a PDF is actually encrypted, stelka is unable to process any "child" nodes for the...

zoomequipd