[Test Rules] [PR #4515] modified rule: VIP Impersonation via Google Group relay with suspicious indicators

github-actions[bot] · github-actions[bot] · commit 64f0ccb87d90 · 2026-06-08T17:17:23.000Z
diff --git a/detection-rules/4515_impersonation_google_groups_suspicious.yml b/detection-rules/4515_impersonation_google_groups_suspicious.yml
@@ -10,31 +10,64 @@ source: |
   and (
     any(headers.reply_to,
         any($org_vips,
-            strings.contains(.display_name, ..display_name)
-            or strings.contains(strings.concat(.first_name, " ", .last_name),
-                                ..display_name
+            (
+              ..display_name != ""
+              and strings.contains(.display_name, ..display_name)
             )
-            or strings.contains(strings.concat(.last_name, ", ", .first_name),
-                                ..display_name
+            or (
+              .first_name != ""
+              and .last_name != ""
+              and strings.contains(strings.concat(.first_name, " ", .last_name),
+                                   ..display_name
+              )
+            )
+            or (
+              .first_name != ""
+              and .last_name != ""
+              and strings.contains(strings.concat(.last_name, ", ", .first_name),
+                                   ..display_name
+              )
             )
         )
     )
     or any($org_vips,
-           strings.contains(subject.subject, .display_name)
-           or strings.contains(subject.subject,
-                               strings.concat(.first_name, " ", .last_name)
+           (
+             .display_name != ""
+             and strings.contains(subject.subject, .display_name)
            )
-           or strings.contains(subject.subject,
-                               strings.concat(.last_name, ", ", .first_name)
+           or (
+             .first_name != ""
+             and .last_name != ""
+             and strings.contains(subject.subject,
+                                  strings.concat(.first_name, " ", .last_name)
+             )
+           )
+           or (
+             .first_name != ""
+             and .last_name != ""
+             and strings.contains(subject.subject,
+                                  strings.concat(.last_name, ", ", .first_name)
+             )
            )
     )
     or any($org_vips,
-           strings.contains(sender.display_name, .display_name)
-           or strings.contains(sender.display_name,
-                               strings.concat(.first_name, " ", .last_name)
+           (
+             .display_name != ""
+             and strings.contains(sender.display_name, .display_name)
+           )
+           or (
+             .first_name != ""
+             and .last_name != ""
+             and strings.contains(sender.display_name,
+                                  strings.concat(.first_name, " ", .last_name)
+             )
            )
-           or strings.contains(sender.display_name,
-                               strings.concat(.last_name, ", ", .first_name)
+           or (
+             .first_name != ""
+             and .last_name != ""
+             and strings.contains(sender.display_name,
+                                  strings.concat(.last_name, ", ", .first_name)
+             )
            )
     )
   )
@@ -104,4 +137,4 @@ detection_methods:
 id: "674a5349-ceb9-5831-af1c-175d9fa6dbd7"
 og_id: "57f9cd3b-ddac-5ef5-96dd-374dbd03f5cd"
 testing_pr: 4515
-testing_sha: c9ede5003470372be79cb7ad142656d7202a6329
+testing_sha: 2ec75286147bba6ef91add1a4e30fd5b4114e410
