[Test Rules] [PR sublime-security#4515] modified rule: VIP impersonation: Fake thread with display name match, email mismatch

github-actions[bot] · github-actions[bot] · commit 259500a4e95f · 2026-05-29T20:33:55.000Z
diff --git a/detection-rules/4515_vip_impersonation_fake_thread.yml b/detection-rules/4515_vip_impersonation_fake_thread.yml
@@ -9,6 +9,15 @@ source: |
             strings.icontains(body.html.display_text,
                               strings.concat("From: ", .display_name, " <")
             )
+            or strings.icontains(body.html.display_text,
+                                 strings.concat("From: ",
+                                                strings.concat(.first_name,
+                                                               " ",
+                                                               .last_name
+                                                ),
+                                                " <"
+                                 )
+            )
             or strings.icontains(body.html.display_text,
                                  strings.concat("From: ",
                                                 strings.concat(.last_name,
@@ -18,16 +27,6 @@ source: |
                                                 " <"
                                  )
             )
-            or any(regex.extract(.display_name,
-                                 '\A(?P<name>.+?)\s*[\(（][^)）]*[)）]\s*\z'
-                   ),
-                   strings.icontains(body.html.display_text,
-                                     strings.concat("From: ",
-                                                    .named_groups["name"],
-                                                    " <"
-                                     )
-                   )
-            )
           )
           and not (
             strings.icontains(body.html.display_text,
@@ -38,6 +37,17 @@ source: |
                                              ">"
                               )
             )
+            or strings.icontains(body.html.display_text,
+                                 strings.concat("From: ",
+                                                strings.concat(.first_name,
+                                                               " ",
+                                                               .last_name
+                                                ),
+                                                " <",
+                                                .email,
+                                                ">"
+                                 )
+            )
             or strings.icontains(body.html.display_text,
                                  strings.concat("From: ",
                                                 strings.concat(.last_name,
@@ -49,18 +59,6 @@ source: |
                                                 ">"
                                  )
             )
-            or any(regex.extract(.display_name,
-                                 '\A(?P<name>.+?)\s*[\(（][^)）]*[)）]\s*\z'
-                   ),
-                   strings.icontains(body.html.display_text,
-                                     strings.concat("From: ",
-                                                    .named_groups["name"],
-                                                    " <",
-                                                    ..email,
-                                                    ">"
-                                     )
-                   )
-            )
           )
   )
   and any([body.current_thread.text, body.html.display_text, body.plain.raw],
@@ -89,4 +87,4 @@ detection_methods:
 id: "a067b4db-294b-5177-ab12-0671ec5c7d63"
 og_id: "11cc3e28-65db-5c7e-9436-9d0a700da971"
 testing_pr: 4515
-testing_sha: 3c7644f9963fb214445fd5add76ce8f949a4acf0
+testing_sha: c9ede5003470372be79cb7ad142656d7202a6329
