sublime-rules

sublime-rules copied to clipboard

Adding new rule to detection prompt injection using hidden content

2

# Description We identified this [blog](https://malwr-analysis.com/2025/08/24/phishing-emails-are-now-aimed-at-users-and-ai-defenses/) and then I performed a few hunts identifying a similar example. # Associated samples - [Sample 1](https://platform.sublime.security/messages/4f60c6d692b0e180b23649193078d111644e3c77f1e7795ebb7f789b64a302b2?preview_id=0198cdf4-239b-7690-af02-71217ad29abe) - [Sample 2](https://platform.sublime.security/messages/4f6043aad6bc24ffcae75a6c18fa33072571734a81130b6adf67c3f2c15af9a2?preview_id=0198c86d-aeda-7749-8e72-89deedc6bcb4) - [Sample 3](https://platform.sublime.security/messages/4f60fd37ee5d978d43e74ebe5b920e95481a7e9e07e32c703e2c190bc140b336?preview_id=0198c86d-a7a2-7471-b64f-5705b270e799) -...

MSAdministrator

# Description Detects messages linking to Medium.com profiles with financial language or credential harvesting indicators, which has been observed abused for phishing landing pages. # Associated samples - https://platform.sublime.security/messages/4f75afd3b17853b82e6ada32c348fc62dc362bb521727b163ef84960d6f84400 -...

peterdj45

Create godaddy_invoice_abuse.yml

1

# Description Detects legitimate GoDaddy Payments invoices that contain suspicious indicators. Observed abused for extortion campaigns. # Associated samples - https://platform.sublime.security/messages/4f7923cc4ffb35e7f6077531da488a938f89f607a7faad23efe08f5f67d05197 ## Associated hunts - https://platform.sublime.security/messages/hunt?huntId=01997045-4c0b-7a95-b53d-1ea3db7e533c

peterdj45

# Description adding logic to flag QR codes in the message body with excessive whitespace/padding # Associated samples - https://platform.sublime.security/messages/4f7cf35c3f8a1d3b6a41cb99062a9e618a95cc5bde8d53606ef69841b278b4f5 ## Associated hunts - https://platform.sublime.security/messages/hunt?huntId=01995a00-0e11-72cc-b99a-1cb2bcdbace7

peterdj45

# Description adding additional suspicious subject and file name keywords. also changing the file name check to look for the recipient's SLD as opposed to their whole address # Associated...

peterdj45

# Description adding additional logic to flag samples with all links leading to URL shortener domains # Associated samples - https://platform.sublime.security/messages/4f7420adc3f195efed13e0f26415751eceeb0fb8cf0ef8c8409a43fa4fb2ad1e - https://platform.sublime.security/messages/4f77e0b0d25c433480e485842ecf0e13633f8a043d70f063690b0d0a71e2c6aa ## Associated hunts - https://platform.sublime.security/messages/hunt?huntId=01996101-33b3-7211-8f3f-c6a18db74d06

peterdj45

# Description adding logic to flag link display names ending in `.pdf` # Associated samples - https://platform.sublime.security/messages/4f927d78078bce3f2058a63e553d486789466b6f0d6b8237b68b08842b04bd2d ## Associated hunts - https://platform.sublime.security/messages/hunt?huntId=0199ccec-fa0b-7e3a-bebc-2030667e9314

peterdj45

Update link_fake_storage_alert.yml

1

# Description broadening scope of cred theft NLU check to include medium confidence samples adding additional subject keyword # Associated samples - https://platform.sublime.security/messages/4f78da1602ab6ced1e4e6b924bbdb41311da070b03d19232557bbf372419bd1e - https://platform.sublime.security/messages/4f7b8075f39eb377115495a5d43edc39e9ca479edf728c78a00e36e22b73e0f4 ## Associated hunts hunt for...

peterdj45

Update attachment_docusign_suspicious_links.yml

1

# Description adding logic to flag the word DocuSign with the `i` omitted (DocuSgn) # Associated samples - https://platform.sublime.security/messages/4f8498304aa122e8dd7b31937f69cebc2b07df393f3e58a85f117f0d25451ee9 - https://platform.sublime.security/messages/4f843346280947b2b802ceef8c6c8344b64a234dc2690788ad06eaa464d9607c - https://platform.sublime.security/messages/4f840d2fd15ec18414350fa9772e4d3b45f5879e5cc37d17ade79387340db5a7

peterdj45

# Description New coverage for Concur impersonation ## Associated hunts - [Hunt 1](https://platform.sublime.security/messages/hunt?huntId=0199e92d-9253-711a-92b7-88c785f100a8)

morriscode