sublime-rules

sublime-rules copied to clipboard

Create open_redirect_emlakarsa.yml

1

# Description Match messages with observed open redirect from emlakarsa # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/cb385ef3d5ed68d6993f6c5455f1b671b041299c5d821594b6014bb36e014459)

zoomequipd

Create open_redirect_artkaderne.yml

1

# Description Match messages with an open redirect # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/a33a20c62fa2cffbc2a33f34a4768dcdd71acdc56236787fa32af791fca7206f)

zoomequipd

Create open_redirect_onelink.yml

1

# Description Match messages with observed open redirect from onelink # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/33c3784373fd0fbb0a8e85a63c8d1c35e9ac1ce2de1e1a7f9f0a7072056fbe1f) ## Associated hunts - [Hunt 1](https://platform.sublimesecurity.com/hunts/02cd5788-ef8b-427d-af3e-204fac4bd8a1)

zoomequipd

Update impersonation_dropbox.yml

2

# Description Adding link check to flag on display URL == dropbox.com but with a mismatch. # Associated samples - https://platform.sublimesecurity.com/messages/3dca3712fbb6994e5a0401f9330ed444e640c9a32bfd3feadc0d0bbb2fea984d

aidenmitchell

Multiple Open Redirects

2

# Description Multiple open redirects observed ITW with malicious use # Associated samples - [Acoustic](https://platform.sublimesecurity.com/messages/25c2a4ca02475adbf540cad0df8edf9ae96b26bb1f74deadb85059086d28cee2) - [bestdeals.today](https://platform.sublimesecurity.com/messages/81657660621d96145be397db8f2eb8ed0addb6b18f235bf5872f3bc640cf5c6e) - Second in an open redirect chain - [Club-OS](https://platform.sublimesecurity.com/messages/e0aa56b7d332c3ca5433e89b04b6dc8004d0b527532288191ce9f5073c5b4ba8) - second in an...

zoomequipd

Create brand_impersonation_stripe_notification.yml

1

# Description Campaigns have been observed sending templated Stripe notification emails with the call-to-action button link replaced, clicking through to a malicious credential phishing page. # Associated samples - https://platform.sublimesecurity.com/messages/efe0061f0fa1ae7bf6e7db7e3b1919d5b72a7fc9f82d8c068923763f53dec77c...

aidenmitchell

# Description The rule is based on the received headers path described in the blog post: https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6 # Associated samples No public samples found. ## Associated hunts N/A

joakim-intezer

Create link_multistage_google_drive.yml

1

# Description Detect multi stage landing cred phishing using google drive, aligns with Adobe Express and Docusign as well. # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/a654e8ac100b79e27ee9d065136caa99d552433cefedc10f572ae4d7f28f999c) ## Associated hunts - [Hunt...

zoomequipd

# Description - adding more anchor strings - removing sender profile prevalence as it causes issues when the sender is spoofed. - adding or conditions to unsolicited to account for...

morriscode

# Description Negate FPs due to mimecast rewriting of the docusign URL # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/a1e61ff3e54d09bc077d87de0312cfa0fd4598f06297481eb37e58754bd83f69) - [Sample 2](https://platform.sublimesecurity.com/messages/ce7a368a4d40f53edad90ae84bfc21c356d37869c9bd0e0a6ef46ff000428d08)

zoomequipd