Skip to content

Create self_sender_cred_theft_short_path_link.yml#4378

Merged
D-Bolton merged 4 commits intomainfrom
daniel.fn.ESC-11425.FN--Credential-phishing-with-self-sender-pattern
Apr 24, 2026
Merged

Create self_sender_cred_theft_short_path_link.yml#4378
D-Bolton merged 4 commits intomainfrom
daniel.fn.ESC-11425.FN--Credential-phishing-with-self-sender-pattern

Conversation

@D-Bolton
Copy link
Copy Markdown
Member

@D-Bolton D-Bolton commented Apr 21, 2026
edited
Loading

Description

Detects self sender messages containing links with single character paths and credential theft language.

Associated samples

Associated hunts

  • Hunt 1
  • Multi hunts inside ESC-11425
  • Mode results look good

github-actions Bot added a commit that referenced this pull request Apr 21, 2026
@github-actions
[Shared Samples] [PR #4378] added rule: PR# 4378 - Link: Self-sent cr…
f87cf20 
…edential theft with single character path
@D-Bolton D-Bolton marked this pull request as ready for review April 21, 2026 21:58
@D-Bolton D-Bolton requested a review from a team April 21, 2026 21:58
@D-Bolton D-Bolton requested a review from a team as a code owner April 21, 2026 21:58
@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label Apr 21, 2026
github-actions Bot added a commit that referenced this pull request Apr 21, 2026
@github-actions
[Test Rules] [PR #4378] added rule: Link: Self-sent credential theft …
c065024 
…with single character path
@D-Bolton D-Bolton added the review-needed Indicates that a PR is waiting for review label Apr 22, 2026
zoomequipd
zoomequipd requested changes Apr 23, 2026
View reviewed changes
Comment thread detection-rules/self_sender_cred_theft_short_path_link.yml
Comment thread detection-rules/self_sender_cred_theft_short_path_link.yml Outdated
Comment thread detection-rules/self_sender_cred_theft_short_path_link.yml Outdated
@D-Bolton @zoomequipd
Update detection-rules/self_sender_cred_theft_short_path_link.yml
59f582f 
Co-authored-by: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
github-actions Bot added a commit that referenced this pull request Apr 23, 2026
@github-actions
[Test Rules] [PR #4378] modified rule: Link: Single character path wi…
614bfae 
…th credential theft body and self sender behavior
github-actions Bot added a commit that referenced this pull request Apr 23, 2026
@github-actions
[Shared Samples] [PR #4378] modified rule: PR# 4378 - Link: Single ch…
4434a4e 
…aracter path with credential theft body and self sender behavior or invalid recipient
github-actions Bot added a commit that referenced this pull request Apr 23, 2026
@github-actions
[Test Rules] [PR #4378] modified rule: Link: Single character path wi…
d666a31 
…th credential theft body and self sender behavior or invalid recipient
@D-Bolton D-Bolton requested a review from zoomequipd April 23, 2026 17:10
@D-Bolton D-Bolton added this pull request to the merge queue Apr 24, 2026
Merged via the queue into main with commit 18a9e2e Apr 24, 2026
5 checks passed
@D-Bolton D-Bolton deleted the daniel.fn.ESC-11425.FN--Credential-phishing-with-self-sender-pattern branch April 24, 2026 17:14
github-actions Bot added a commit that referenced this pull request Apr 24, 2026
@github-actions
[Shared Samples] [PR #4378] Delete detection rule
3f49c88
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoomequipd zoomequipd zoomequipd approved these changes

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@D-Bolton @zoomequipd