[Shared Samples] [PR #4515] modified rule: PR# 4515 - VIP Impersonation via Google Group relay with suspicious indicators

github-actions[bot] · github-actions[bot] · commit dee9bdb01480 · 2026-06-08T16:33:51.000Z
diff --git a/detection-rules/4515_impersonation_google_groups_suspicious.yml b/detection-rules/4515_impersonation_google_groups_suspicious.yml
@@ -10,31 +10,64 @@ source: |
   and (
     any(headers.reply_to,
         any($org_vips,
-            strings.contains(.display_name, ..display_name)
-            or strings.contains(strings.concat(.first_name, " ", .last_name),
-                                ..display_name
+            (
+              ..display_name != ""
+              and strings.contains(.display_name, ..display_name)
             )
-            or strings.contains(strings.concat(.last_name, ", ", .first_name),
-                                ..display_name
+            or (
+              .first_name != ""
+              and .last_name != ""
+              and strings.contains(strings.concat(.first_name, " ", .last_name),
+                                   ..display_name
+              )
+            )
+            or (
+              .first_name != ""
+              and .last_name != ""
+              and strings.contains(strings.concat(.last_name, ", ", .first_name),
+                                   ..display_name
+              )
             )
         )
     )
     or any($org_vips,
-           strings.contains(subject.subject, .display_name)
-           or strings.contains(subject.subject,
-                               strings.concat(.first_name, " ", .last_name)
+           (
+             .display_name != ""
+             and strings.contains(subject.subject, .display_name)
            )
-           or strings.contains(subject.subject,
-                               strings.concat(.last_name, ", ", .first_name)
+           or (
+             .first_name != ""
+             and .last_name != ""
+             and strings.contains(subject.subject,
+                                  strings.concat(.first_name, " ", .last_name)
+             )
+           )
+           or (
+             .first_name != ""
+             and .last_name != ""
+             and strings.contains(subject.subject,
+                                  strings.concat(.last_name, ", ", .first_name)
+             )
            )
     )
     or any($org_vips,
-           strings.contains(sender.display_name, .display_name)
-           or strings.contains(sender.display_name,
-                               strings.concat(.first_name, " ", .last_name)
+           (
+             .display_name != ""
+             and strings.contains(sender.display_name, .display_name)
+           )
+           or (
+             .first_name != ""
+             and .last_name != ""
+             and strings.contains(sender.display_name,
+                                  strings.concat(.first_name, " ", .last_name)
+             )
            )
-           or strings.contains(sender.display_name,
-                               strings.concat(.last_name, ", ", .first_name)
+           or (
+             .first_name != ""
+             and .last_name != ""
+             and strings.contains(sender.display_name,
+                                  strings.concat(.last_name, ", ", .first_name)
+             )
            )
     )
   )
