sublime-rules

sublime-rules copied to clipboard

Update attachment_office365_image.yml

1

# Description Address FPs by limiting the length of the OCR'ed text inspected for the word "microsoft" # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/e7ce6540af61457b01c61c3ac11e39da0fb7b56973812f6cf5e0af13d32db576) - [Sample 2](https://platform.sublimesecurity.com/messages/4eb9106d6e4a56fabfe9d383cfc84bd67aa61e0161bf01bd4c032825a8eb15b6)

zoomequipd

Updating Fake Password Expiration from New and Unsolicited sender and Fake thread with suspicious indicators

1

# Description _Credential Phishing: Fake Password Expiration from New and Unsolicited sender_: - added additional phrase for suspicious language - added additional body logic - replaced all `subject.subject` and `body.current_thread.text`...

aidenmitchell

# Description Exclude messages from sharepointonline.com actual via detection on a message id format. # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/27eb028f5a2966be067d1831886cbc816799831b600f32439d85f82c6c3905a8) ## Associated hunts - [Hunt 1](https://platform.sublimesecurity.com/hunts/d685229f-fd7d-4a90-ad69-0fbd4b03cda7)

zoomequipd

Create link_webflow_unsolicited.yml

1

# Description Match on messages from unsolicited senders with at least one link to webflow.io # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/8de67507028f2581e7d549412b22bbb38eaed9b0371c6f3dd2576273016298f7) - [Sample 2](https://platform.sublimesecurity.com/messages/408afbf8b6ecf0f7379cac60d0bbd2bb20f36d45932bd4c71e0ca168bdae3cab) - [Sample 3](https://platform.sublimesecurity.com/messages/61c91112dd08ad68c29f1879f9862e5d69cc0f04a0bc7430a3fd7f0426ad0fdd) ## Associated hunts...

zoomequipd

# Description Negating the Dropbox fax service (aka Hellofax) # Associated samples - https://platform.sublimesecurity.com/messages/6cc7fc26fc4fbcaa27db610b01a153dba5842a82d322894c4659ffc8633f3dfc ## Associated hunts - https://platform.sublimesecurity.com/hunts/055be80a-6966-45c1-94ab-1af3e76f2f51

peterdj45

Create credential_phishing_docusign_dummy_pdf_attachment.yml

1

Less specific way of handling https://github.com/sublime-security/sublime-rules/pull/1778 # Description Detects Docusign impersonation linking to non docusign domains, using dummy pdf files. # Associated samples https://platform.sublimesecurity.com/messages/19fdd5237c884cfdecbcc6c02c813b6cd191831458b23e060e36db8fd817125e # Related hunt still running at...

morriscode

**Draft** Detection-Rule CS

4

# Description Draft current events rule as a detection-rule

zoomequipd

Create impersonation_gmail_av_scan.yml

1

# Description Detect fake Google Attachment language within the body of a message. ## Associated hunts If you ran any hunts with your rule, please link them here. - [Hunt...

zoomequipd

GitOps changes

1

# Description Various QoL changes for GitOps.

aidenmitchell

Update credential_phishing_fake_email_quarantine_notification.yml

1

# Description Adding logic in case NLU fails to fire, additional keywords, and additional link logic. # Associated hunts - https://platform.sublimesecurity.com/hunts/67c0d424-3211-45b9-aa39-9679ed621c9d

aidenmitchell