Skip to content

Restructured "Attach: Sus Employee Lure" rule#4369

Open
missingn0pe wants to merge 3 commits intomainfrom
missingn0pe.fn_fp.ESC-8497.attach_sus_employee_lure
Open

Restructured "Attach: Sus Employee Lure" rule#4369
missingn0pe wants to merge 3 commits intomainfrom
missingn0pe.fn_fp.ESC-8497.attach_sus_employee_lure

Conversation

@missingn0pe
Copy link
Copy Markdown
Member

@missingn0pe missingn0pe commented Apr 17, 2026

Description

Many holistic changes made:

  • Fix strings/regex logic
  • Switch attachment inspection style to resolve null inspection
  • Sort for ease of future revisions
  • Mirror 1:1 subject & attachment as intended
  • Remove "contract" as it FP'd after 1:1
  • Add missed keywords & strategies
  • Negated FP keywords
  • Negated fwd/reply

3 domains will be submitted to HTSRD update, that will resolve the majority of the remaining FP's. 20 net new samples, 346 additional detection in depth.

Associated samples

- Sample 1

Associated hunts

- Hunt 1 - OG logic
- Hunt 2 - Comparative
- Hunt 3 - New logic

@missingn0pe
Restructured "Attach: Sus Employee Lure" rule
756ff0f 
Many holistic changes made:

- Fix strings/regex logic
- Switch attachment inspection style to resolve null inspection
- Sort for ease of future revisions
- Mirror 1:1 subject & attachment as intended
- Remove "contract" as it FP'd after 1:1
- Add missed keywords & strategies
- Negated FP keywords
- Negated fwd/reply
@missingn0pe missingn0pe requested a review from a team April 17, 2026 22:28
@missingn0pe missingn0pe requested a review from a team as a code owner April 17, 2026 22:28
@missingn0pe
Resubmitting with correct format
f2bf594 
Invalid spacing caused failures. Fixed spacing.
@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label Apr 20, 2026
github-actions Bot added a commit that referenced this pull request Apr 20, 2026
@github-actions
[Test Rules] [PR #4369] added rule: Attachment: Suspicious employee p…
78b4834 
…olicy update document lure
github-actions Bot added a commit that referenced this pull request Apr 20, 2026
@github-actions
[Shared Samples] [PR #4369] added rule: PR# 4369 - Attachment: Suspic…
8b30432 
…ious employee policy update document lure
@missingn0pe
Updating Attachment: Policy lure attachment rule
8a88b77 
Making fine tweaks, adding scope for null files & other attachments, negating topic & updating legit convo logic.
github-actions Bot added a commit that referenced this pull request Apr 21, 2026
@github-actions
[Shared Samples] [PR #4369] modified rule: PR# 4369 - Attachment: Sus…
13e7cab 
…picious employee policy update document lure
@missingn0pe
Copy link
Copy Markdown
Member Author

missingn0pe commented Apr 21, 2026

Recent hunts for new logic:

- OG and "Not new" comparative hunt
- New and "Not OG" comparative hunt
- Current hunt

github-actions Bot added a commit that referenced this pull request Apr 21, 2026
@github-actions
[Test Rules] [PR #4369] modified rule: Attachment: Suspicious employe…
0cd9d6d 
…e policy update document lure
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@missingn0pe