Skip to content

Create link_credential_phishing_cloud_service.yml#4367

Merged
D-Bolton merged 6 commits intomainfrom
daniel.fn.ESC-10973.FN--Credential-phishing-via-generic-cloud-service-impersonation
Apr 23, 2026
Merged

Create link_credential_phishing_cloud_service.yml#4367
D-Bolton merged 6 commits intomainfrom
daniel.fn.ESC-10973.FN--Credential-phishing-via-generic-cloud-service-impersonation

Conversation

@D-Bolton
Copy link
Copy Markdown
Member

@D-Bolton D-Bolton commented Apr 17, 2026
edited
Loading

Description

Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji, and contains links to external domains not matching the sender's domain.

Associated samples

Associated hunts

  • Hunt 1
  • Multi-hunts in ESC-10973
  • Mode results look great

@D-Bolton D-Bolton marked this pull request as ready for review April 17, 2026 19:55
@D-Bolton D-Bolton requested a review from a team April 17, 2026 19:55
@D-Bolton D-Bolton requested a review from a team as a code owner April 17, 2026 19:55
@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label Apr 17, 2026
github-actions Bot added a commit that referenced this pull request Apr 17, 2026
@github-actions
[Test Rules] [PR #4367] added rule: Link: Cloud service with credenti…
f90a4e4 
…al theft language
github-actions Bot added a commit that referenced this pull request Apr 17, 2026
@github-actions
[Shared Samples] [PR #4367] added rule: PR# 4367 - Link: Cloud servic…
1fcc1e5 
…e with credential theft language
@D-Bolton D-Bolton added the review-needed Indicates that a PR is waiting for review label Apr 20, 2026
zoomequipd
zoomequipd reviewed Apr 22, 2026
View reviewed changes
Comment thread detection-rules/link_credential_phishing_cloud_service.yml Outdated
github-actions Bot added a commit that referenced this pull request Apr 22, 2026
@github-actions
[Test Rules] [PR #4367] modified rule: Link: Cloud service with crede…
3085555 
…ntial theft language
github-actions Bot added a commit that referenced this pull request Apr 22, 2026
@github-actions
[Shared Samples] [PR #4367] modified rule: PR# 4367 - Link: Cloud ser…
283e0de 
…vice with credential theft language
github-actions Bot added a commit that referenced this pull request Apr 22, 2026
@github-actions
[Test Rules] [PR #4367] modified rule: Link: Cloud service with crede…
5ae3df0 
…ntial theft language
github-actions Bot added a commit that referenced this pull request Apr 22, 2026
@github-actions
[Shared Samples] [PR #4367] modified rule: PR# 4367 - Link: Cloud ser…
51cf6ed 
…vice with credential theft language
github-actions Bot added a commit that referenced this pull request Apr 23, 2026
@github-actions
[Shared Samples] [PR #4367] modified rule: PR# 4367 - Link: Cloud ser…
3f62705 
…vice with credential theft language
github-actions Bot added a commit that referenced this pull request Apr 23, 2026
@github-actions
[Test Rules] [PR #4367] modified rule: Link: Cloud service with crede…
5109cb1 
…ntial theft language
@D-Bolton D-Bolton added this pull request to the merge queue Apr 23, 2026
Merged via the queue into main with commit a482416 Apr 23, 2026
5 checks passed
@D-Bolton D-Bolton deleted the daniel.fn.ESC-10973.FN--Credential-phishing-via-generic-cloud-service-impersonation branch April 23, 2026 18:26
github-actions Bot added a commit that referenced this pull request Apr 23, 2026
@github-actions
[Shared Samples] [PR #4367] Delete detection rule
be9b52a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoomequipd zoomequipd zoomequipd approved these changes

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@D-Bolton @zoomequipd