sublime-rules

sublime-rules copied to clipboard

Create impersonation_google_workspace.yml

1

# Description This rule is designed to detect the impersonation of Google Workspace, where the sample relies on logic inside the email including correct imagery, and excludes the forwaded contents...

brycampbell

Updating Fake voicemail notification (untrusted sender) regex

1

# Description We can update this rule to include a new pattern for the subject to detect a FN sample # Associated samples - [FN Sample](https://platform.sublime.security/messages/4f986d7b36a8d05e40c16e75515a9ebfe97a7c890345d6afb753fc584faacc96?preview_id=0199ea28-4b1e-769c-af41-528b4b87a547) ## Associated hunts -...

MSAdministrator

# Description adding min length for NLU reliance

morriscode

This rule detects 7z archive attachments that contain RAR files, which may be used to evade detection by nesting compressed file formats. # Description This rule detects 7z archive attachments...

morriscode

LWescott Update credential_phishing_esign_document_notification.yml

1

# Description From a runner expanding coverage to include any character within a bound of 4 between e and doc. # Associated samples - [Sample 1](https://platform.sublime.security/messages/4fa01bf4dbc926f13460432433897a4755c8adfe4e81f738da8137489495f004?preview_id=019a2a50-a577-7a7a-8cc1-f0b60cc683f2) ## Associated hunts -[Hunt...

IndiaAce

Create link_gophish_rid.yml

4

# Description coverage for default GoPhish URL format ## Associated hunts - [Hunt 1](https://platform.sublime.security/messages/hunt?huntId=0199bc25-642e-7af7-8f72-360f4d6d3098)

zoomequipd

Create monday_infra_abuse.yml

5

# Description Detects unauthorized use of Monday.com tracking links in messages, attachments, or QR codes from unusual senders who lack proper authentication. Excludes legitimate replies and messages from trusted domains...

peterdj45

# Description Detects messages containing credential theft language disguised as survey requests from promotional content, targeting organizations from untrusted or spoofed high-trust domains. ## Samples * [Sample 1](https://platform.sublime.security/messages/4f8a0a42683a7fc811f293d7ec4c7f96297855e1aa7802784e74b6bc3935c071?preview_id=0199a0d8-da27-721a-8769-ece3dfec77c3) ## Associated...

markmsublime

# Description Expanding scope to also look for doc or docx attachments that are impersonating SSA. # Associated samples - [Sample 1](https://platform.sublime.security/messages/4f92d53adc08091da323bd3c82c9b3f20eea2d613375754208390a185a49bd77?preview_id=0199e999-fd05-7624-9e0a-d0e788667acb) - [Sample 2](https://platform.sublime.security/messages/4f93da400f36dafeb895aeb00901c3527dc5b99133aa16488b644adef981ad45?preview_id=0199cfdd-16ed-7899-bf64-938817b4911e) ## Associated hunts - [Hunt...

markmsublime

# Description Detects messages impersonating AARP by analyzing sender display name and body content for AARP references, address information, or survey-related language from unauthorized senders. # Associated samples - [Sample...

markmsublime