Skip to content

Commit 8dd6e60

Browse files
[Test Rules] [PR #4513] modified rule: VIP impersonation with urgent request (strict match, untrusted sender)
1 parent 3b4c404 commit 8dd6e60

1 file changed

Lines changed: 7 additions & 3 deletions

File tree

detection-rules/4513_impersonation_vip_urgent_request.yml

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,12 @@ source: |
99
type.inbound
1010
and any($org_vips,
1111
.display_name =~ sender.display_name
12-
or strings.concat(.first_name, " ", .last_name) == sender.display_name
13-
or strings.concat(.last_name, ", ", .first_name) == sender.display_name
12+
or strings.concat(.last_name, ", ", .first_name) =~ sender.display_name
13+
or any(regex.extract(.display_name,
14+
'\A(?P<name>.+?)\s*[\((][^))]*[))]\s*\z'
15+
),
16+
.named_groups["name"] =~ sender.display_name
17+
)
1418
)
1519
and (
1620
any(ml.nlu_classifier(body.current_thread.text).intents,
@@ -64,4 +68,4 @@ detection_methods:
6468
id: "5bb1c65e-b217-59bc-b9a6-4b7e6defc225"
6569
og_id: "0dd1fa60-6e89-5f70-81a1-6b64eef0e428"
6670
testing_pr: 4513
67-
testing_sha: 90a3176084fd25d367a7582d78b2cd7bb9c4b8b5
71+
testing_sha: 8edfcb14502fda5aa8241629f8b4a08bbe1eefc7

0 commit comments

Comments
 (0)