From 9af7c1ce8cc56ebfcbc89854c269d8d58d857728 Mon Sep 17 00:00:00 2001
From: John Farina <john.f@sublimesecurity.com>
Date: Tue, 21 Apr 2026 08:23:32 -0400
Subject: [PATCH 1/2] Update body_bec_mobile_solicitation_reply_thread.yml

---
 detection-rules/body_bec_mobile_solicitation_reply_thread.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/body_bec_mobile_solicitation_reply_thread.yml b/detection-rules/body_bec_mobile_solicitation_reply_thread.yml
index 0ec30a25b3e..4f65b00e733 100644
--- a/detection-rules/body_bec_mobile_solicitation_reply_thread.yml
+++ b/detection-rules/body_bec_mobile_solicitation_reply_thread.yml
@@ -22,7 +22,7 @@ source: |
             )
           )
           and regex.icontains(.text,
-                              '(?:mobile|suitable|contact|current|cell|call|another).{0,10}(phone|number|#|\bno)|whatsapp|\bcell|personalcell|(?:reliable|recent).{0,30}(?:phone|number).{0,15}contact'
+                              '(?:mobile|suitable|contact|current|cell|call|another).{0,10}(phone|number|#|\bno)|whatsapp|\bcell|personalcell|(?:reliable|recent).{0,30}(?:phone|number).{0,15}contact|(?:share|send).{0,10}(?:a\s)?number.{0,10}(?:text|reach)'
           )
   )
   

From 03e544358dfb47f01571b2551108da5b27914445 Mon Sep 17 00:00:00 2001
From: John Farina <john.f@sublimesecurity.com>
Date: Thu, 23 Apr 2026 16:16:21 -0400
Subject: [PATCH 2/2] Update body_bec_mobile_solicitation_reply_thread.yml

editing regex to mitigate FPs from mode results
---
 detection-rules/body_bec_mobile_solicitation_reply_thread.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/body_bec_mobile_solicitation_reply_thread.yml b/detection-rules/body_bec_mobile_solicitation_reply_thread.yml
index 4f65b00e733..5736dd82787 100644
--- a/detection-rules/body_bec_mobile_solicitation_reply_thread.yml
+++ b/detection-rules/body_bec_mobile_solicitation_reply_thread.yml
@@ -22,7 +22,7 @@ source: |
             )
           )
           and regex.icontains(.text,
-                              '(?:mobile|suitable|contact|current|cell|call|another).{0,10}(phone|number|#|\bno)|whatsapp|\bcell|personalcell|(?:reliable|recent).{0,30}(?:phone|number).{0,15}contact|(?:share|send).{0,10}(?:a\s)?number.{0,10}(?:text|reach)'
+                              '(?:mobile|suitable|contact|current|cell|call|another).{0,10}(phone|number|#|\bno)|whatsapp|\bcell|personalcell|(?:reliable|recent).{0,30}(?:phone|number).{0,15}contact|(?:share|send).{0,20}number.{0,10}(?:text|sms|whatsapp|reach\syou[\s,.\?](?:by|whether|when|for))'
           )
   )