Brandon Murphy

Desired Output: I ran into an issue while trying to negating traffic from an ASN while including specific subnet which fall into a negated ASN. The pcap as lots of...

Create impersonation_stripe.yml

8

# Description Match on the display name of Stripe for impersonations # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/efe0061f0fa1ae7bf6e7db7e3b1919d5b72a7fc9f82d8c068923763f53dec77c) ## Associated hunts - [Hunt 1](https://platform.sublimesecurity.com/hunts/4e145262-8f34-46fe-a97f-3326e279a216)

Create open_redirect_pirlsandiego.yml

1

# Description Match message containing an open redirect from PIRL San Diego # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/ce5e11d10c4b26493f4e00c851dce757b40ca047470924b033a88b721361933e) ## Associated hunts - [Hunt 1](https://platform.sublimesecurity.com/hunts/e33f67e7-0877-447a-ace8-4b5d887b6ee7)

Create open_redirect_emlakarsa.yml

1

# Description Match messages with observed open redirect from emlakarsa # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/cb385ef3d5ed68d6993f6c5455f1b671b041299c5d821594b6014bb36e014459)

Create open_redirect_artkaderne.yml

1

# Description Match messages with an open redirect # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/a33a20c62fa2cffbc2a33f34a4768dcdd71acdc56236787fa32af791fca7206f)

Create open_redirect_onelink.yml

1

# Description Match messages with observed open redirect from onelink # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/33c3784373fd0fbb0a8e85a63c8d1c35e9ac1ce2de1e1a7f9f0a7072056fbe1f) ## Associated hunts - [Hunt 1](https://platform.sublimesecurity.com/hunts/02cd5788-ef8b-427d-af3e-204fac4bd8a1)

Multiple Open Redirects

2

# Description Multiple open redirects observed ITW with malicious use # Associated samples - [Acoustic](https://platform.sublimesecurity.com/messages/25c2a4ca02475adbf540cad0df8edf9ae96b26bb1f74deadb85059086d28cee2) - [bestdeals.today](https://platform.sublimesecurity.com/messages/81657660621d96145be397db8f2eb8ed0addb6b18f235bf5872f3bc640cf5c6e) - Second in an open redirect chain - [Club-OS](https://platform.sublimesecurity.com/messages/e0aa56b7d332c3ca5433e89b04b6dc8004d0b527532288191ce9f5073c5b4ba8) - second in an...

Create link_multistage_google_drive.yml

1

# Description Detect multi stage landing cred phishing using google drive, aligns with Adobe Express and Docusign as well. # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/a654e8ac100b79e27ee9d065136caa99d552433cefedc10f572ae4d7f28f999c) ## Associated hunts - [Hunt...

# Description Negate FPs due to mimecast rewriting of the docusign URL # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/a1e61ff3e54d09bc077d87de0312cfa0fd4598f06297481eb37e58754bd83f69) - [Sample 2](https://platform.sublimesecurity.com/messages/ce7a368a4d40f53edad90ae84bfc21c356d37869c9bd0e0a6ef46ff000428d08)

Update attachment_office365_image.yml

1

# Description Address FPs by limiting the length of the OCR'ed text inspected for the word "microsoft" # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/e7ce6540af61457b01c61c3ac11e39da0fb7b56973812f6cf5e0af13d32db576) - [Sample 2](https://platform.sublimesecurity.com/messages/4eb9106d6e4a56fabfe9d383cfc84bd67aa61e0161bf01bd4c032825a8eb15b6)