Brandon Murphy

# Description Exclude messages from sharepointonline.com actual via detection on a message id format. # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/27eb028f5a2966be067d1831886cbc816799831b600f32439d85f82c6c3905a8) ## Associated hunts - [Hunt 1](https://platform.sublimesecurity.com/hunts/d685229f-fd7d-4a90-ad69-0fbd4b03cda7)

Create link_webflow_unsolicited.yml

1

# Description Match on messages from unsolicited senders with at least one link to webflow.io # Associated samples - [Sample 1](https://platform.sublimesecurity.com/messages/8de67507028f2581e7d549412b22bbb38eaed9b0371c6f3dd2576273016298f7) - [Sample 2](https://platform.sublimesecurity.com/messages/408afbf8b6ecf0f7379cac60d0bbd2bb20f36d45932bd4c71e0ca168bdae3cab) - [Sample 3](https://platform.sublimesecurity.com/messages/61c91112dd08ad68c29f1879f9862e5d69cc0f04a0bc7430a3fd7f0426ad0fdd) ## Associated hunts...

**Draft** Detection-Rule CS

4

# Description Draft current events rule as a detection-rule

Create impersonation_gmail_av_scan.yml

1

# Description Detect fake Google Attachment language within the body of a message. ## Associated hunts If you ran any hunts with your rule, please link them here. - [Hunt...

# Description Address additional FPs and FNs # Associated samples FN Sample that now matches - [Sample 1](https://platform.sublime.security/messages/45a48a6d0ceba03c0ee8bd2ef4c21cef57f239f9514048b1ce4e14429d4edf56) - Additional method of phone number obfuscation - Sample 2 FPs that...

# Description Add coverage for missed samples # Associated samples - [Sample 1](https://platform.sublime.security/messages/c3d2e4c3dc2b1e24a893df5c6983c2fee8de1ed45b3345ba81959d3ff3f60a02) ## Associated hunts - [Hunt 1](https://platform.sublime.security/hunts/94cc3486-f73c-4ec8-87b7-fc5e7f137b2f)

# Description Catch additional samples with more creative filenames # Associated samples - [Sample 1](https://platform.sublime.security/messages/8aa49e060821a42b4b5752a7184191792cca7b6276332cd958a909a613dd5e25) ## Associated hunts N/A

# Description Add additional keywords to cover multi-factor authentication expirations # Associated samples - [Sample 1](https://platform.sublime.security/messages/b211bc2144925c33057b55979dd0937905167d35ed75de1630b2e536e8f1d9a6) - [Sample 2](https://platform.sublime.security/messages/7f12a79fb6d6a68119238133dce2f28d24f97108afbfd8234a3f38d2f6c9702b) ## Associated hunts Samples matching after this change - [Hunt 1](https://platform.sublime.security/hunts/52f62bfa-1cb5-4ad7-8440-9edc0dff240c)

Create impersonation_sharefile.yml

2

# Description Add additional coverage for ShareFile impersonation # Associated samples - [Sample 1](https://platform.sublime.security/messages/1fad38cfa5cbe5838aa5e9cab45c576d2c975091bf495f9840aea26a7a6e2290) - [Sample 2](https://platform.sublime.security/messages/48e62028d5c8a9b4d242ed18ab6c520d0316040d482a3bc94890999838dd3134) ## Associated hunts - [Hunt 1](https://platform.sublime.security/hunts/d5f2a312-1618-4038-a296-550a697cf672)

Create link_google_share_notificaiton_sus_comments.yml

2

# Description Add coverage for Google Share Notifications which contains a suspicious comment. # Associated samples - [Sample 1](https://platform.sublime.security/messages/e0bf0c3be89dc861f6ce06ebdc464cb812f1476b34026a3c8304b9b746fdebab) ## Associated hunts - [Hunt 1](https://platform.sublime.security/hunts/e3429a6c-2b99-409a-a927-37e9359af51c)