sublime-rules icon indicating copy to clipboard operation
sublime-rules copied to clipboard

verified publisher icon sublime-security

Metadata

Sublime rules for email attack detection, prevention, and threat hunting.

Results 226 sublime-rules issues
Sort by recently updated
recently updated
newest added

Create attachment_html_smuggling_b64_zip.yml

# Description Create new coverage for base64 encoded zips within HTML files that contain javascript logic to decode the base64 encoded zip file. This rule makes use of the offset...

zoomequipd avatar zoomequipd

in-test-rules

Refine impersonation detection rules for Teams

# Description adding additional logic to account for impersonation samples with sus calendar invites # Associated samples - https://platform.sublime.security/messages/4facb1b32712710d6216d0bdd455f09bbbc54066f759d13b74e1475d2ec20633

peterdj45 avatar peterdj45

in-test-rules

Create impersonation_charter_spectrum.yml

2 comment

# Description Detects messages impersonating Charter Spectrum by using variations of 'Spectrum' or 'MyCharter' in the display name while not originating from legitimate Charter domains or failing DMARC authentication. #...

ben-sublime avatar ben-sublime

in-test-rules

Create headers_mailer_contains_hidden_content.yml

# Description Detects messages sent via Microsoft CDO for Windows 2000 or PHPMailer that contain HTML paragraph elements with transparent text or hidden content styling, commonly used to evade content...

D-Bolton avatar D-Bolton

in-test-rules

Refine regex for detecting fake fax communications

Updated regex patterns to improve detection of fake fax messages. # Description updated regex keyword to account for samples beginning with `fr` (possible shorthand for fax received) # Associated samples...

peterdj45 avatar peterdj45

in-test-rules

convert to subject.base /subject.is_reply/subject.is_forward

# Description convert some rules to use subject.base, subject.is_reply and subject.is_forward instead of subject.subject and various methods of determine if the subject indicates a reply/forward This allows for a more...

zoomequipd avatar zoomequipd

in-test-rules
review-needed

Create attachment_docx_hyperlink_targeting_recipient.yml

# Description This rule will detect a docx that is appending the recipient's email address to the end of a hyperlink using an anchor tag. # Associated samples - [Sample...

D-Bolton avatar D-Bolton

in-test-rules

Create attachment_pdf_microsoft_purview_impersonation.yml

# Description Detects pdf attachments that are impersonating Microsoft purview. # Associated samples - [Sample 1](https://platform.sublime.security/messages/4fabc2e75bf23581159b34314d962685bd45936da41d36496c1e0f3a93c0eba7?preview_id=019a501d-bfc2-73c9-b55d-b0a8218f9cc9) - [Sample 2](https://platform.sublime.security/messages/4fab19ea6fa413240be77ec4680b3a96d5585748f3094362644783e723dee974) ## Associated hunts - [Hunt 1](https://platform.sublime.security/hunts/019a5099-0a10-7bd8-9bf7-a7a1d9964b62)

D-Bolton avatar D-Bolton

in-test-rules

Update rule logic

Added new key phrase for detection # Description Adding new key phrases, OCR updates & topic negations. # Associated samples [- Sample 1](https://platform.sublime.security/messages/4f922f97163b2f926f452d265d9ab54553e251cd406a5871c01ba2c5a7c209ce?preview_id=0199cb4a-d412-7935-8ac4-93f260696323) ## Associated hunts [- Hunt 1](https://platform.sublime.security/messages/hunt?huntId=019a50ec-cfce-7c70-84a0-b247bd2cfad5) [-...

missingn0pe avatar missingn0pe

in-test-rules

Modifying negation condition to cover hijacked threads. Fake VM from untrusted sender.

# Description Modifying negation condition to cover “hijacked events & webinars current threads”, while requiring +700 characters & specific phrase of “This Voicemail was shared”. Absorbing small change from prior...

missingn0pe avatar missingn0pe

in-test-rules

Metadata

220
Stars
44
Forks
Watchers

Owner

verified publisher icon sublime-security

Metadata

Sublime rules for email attack detection, prevention, and threat hunting.

Back