Skip to content

Commit 8623547

Browse files
[Test Rules] [PR #4515] modified rule: VIP impersonation with charitable donation fraud
1 parent f0f6949 commit 8623547

1 file changed

Lines changed: 11 additions & 7 deletions

File tree

detection-rules/4515_vip_impersonation_charity.yml

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -19,21 +19,25 @@ source: |
1919
and (
2020
any($org_vips,
2121
strings.icontains(body.html.inner_text, .display_name)
22-
or strings.icontains(body.html.inner_text,
23-
strings.concat(.first_name, " ", .last_name)
24-
)
2522
or strings.icontains(body.html.inner_text,
2623
strings.concat(.last_name, ", ", .first_name)
2724
)
25+
or any(regex.extract(.display_name,
26+
'\A(?P<name>.+?)\s*[\((][^))]*[))]\s*\z'
27+
),
28+
strings.icontains(body.html.inner_text, .named_groups["name"])
29+
)
2830
)
2931
or any($org_vips,
3032
strings.icontains(body.plain.raw, .display_name)
31-
or strings.icontains(body.plain.raw,
32-
strings.concat(.first_name, " ", .last_name)
33-
)
3433
or strings.icontains(body.plain.raw,
3534
strings.concat(.last_name, ", ", .first_name)
3635
)
36+
or any(regex.extract(.display_name,
37+
'\A(?P<name>.+?)\s*[\((][^))]*[))]\s*\z'
38+
),
39+
strings.icontains(body.plain.raw, .named_groups["name"])
40+
)
3741
)
3842
)
3943
and (
@@ -87,4 +91,4 @@ detection_methods:
8791
id: "f1011d09-b7dc-5a80-a0eb-ae5f9e5f1ae1"
8892
og_id: "35a56b8e-9293-5ccf-95d3-c990152d8f48"
8993
testing_pr: 4515
90-
testing_sha: 1658ad9fc984cdf4e2a8a85f6af83206ffd6dde1
94+
testing_sha: 3c7644f9963fb214445fd5add76ce8f949a4acf0

0 commit comments

Comments
 (0)