[Shared Samples] [PR #4513] modified rule: PR# 4513 - VIP impersonation with w2 request with reply-to mismatch

github-actions[bot] · github-actions[bot] · commit 41b1ff73afba · 2026-05-29T20:55:36.000Z
diff --git a/detection-rules/4513_impersonation_vip_w2_request.yml b/detection-rules/4513_impersonation_vip_w2_request.yml
@@ -8,12 +8,10 @@ source: |
     any($org_vips,
         strings.contains(sender.display_name, .display_name)
         or strings.contains(sender.display_name,
-                            strings.concat(.last_name, ", ", .first_name)
+                            strings.concat(.first_name, " ", .last_name)
         )
-        or any(regex.extract(.display_name,
-                             '\A(?P<name>.+?)\s*[\(（][^)）]*[)）]\s*\z'
-               ),
-               strings.contains(sender.display_name, .named_groups["name"])
+        or strings.contains(sender.display_name,
+                            strings.concat(.last_name, ", ", .first_name)
         )
     )
     or any(regex.extract(sender.display_name, '^(?<first>\S+)\s+(?<second>\S+)$'),

Original file line number	Diff line number	Diff line change
`@@ -8,12 +8,10 @@ source: \|`
`8`	`8`	`any($org_vips,`
`9`	`9`	`strings.contains(sender.display_name, .display_name)`
`10`	`10`	`or strings.contains(sender.display_name,`
`11`		`- strings.concat(.last_name, ", ", .first_name)`
	`11`	`+ strings.concat(.first_name, " ", .last_name)`
`12`	`12`	`)`
`13`		`- or any(regex.extract(.display_name,`
`14`		`- '\A(?P<name>.+?)\s[\(（][^)）][)）]\s*\z'`
`15`		`- ),`
`16`		`- strings.contains(sender.display_name, .named_groups["name"])`
	`13`	`+ or strings.contains(sender.display_name,`
	`14`	`+ strings.concat(.last_name, ", ", .first_name)`
`17`	`15`	`)`
`18`	`16`	`)`
`19`	`17`	`or any(regex.extract(sender.display_name, '^(?<first>\S+)\s+(?<second>\S+)$'),`