[Shared Samples] [PR #4139] modified rule: PR# 4139 - BEC/Fraud: Urgent language and suspicious sending/infrastructure patterns

github-actions[bot] · github-actions[bot] · commit b286724bf9dc · 2026-04-23T18:14:33.000Z
diff --git a/detection-rules/4139_bec_urgent_suspicious_patterns.yml b/detection-rules/4139_bec_urgent_suspicious_patterns.yml
@@ -25,7 +25,7 @@ source: |
     strings.ilike(subject.subject, '*quick question*'),
   
     // brand name
-    regex.icontains(body.current_thread.text, 'a\s?m\s?a\s?z\s?o\s?n'), // Catches "Amaz on", "Amazon", etc.
+    regex.icontains(body.current_thread.text, 'a\s?m\s?a\s?z\s?[o0]\s?n'), // Catches "Amaz on", "Amazon", etc.
     regex.icontains(body.current_thread.text, 'p\s?a\s?y\s?p\s?a\s?l'),
     regex.icontains(body.current_thread.text, 'a\s?p\s?p\s?l\s?e'),
   
@@ -40,7 +40,7 @@ source: |
   
     // suspicious recipient pattern
     any(recipients.to, strings.ilike(.display_name, 'undisclosed?recipients')),
-    length(recipients.to) == 1, // Single recipient
+    length(recipients.to) <= 1, // Single or 0 recipients
   
     // header checks
     strings.starts_with(headers.mailer, 'Open-Xchange Mailer'),
