From 27d63493d17fd8d7ffc1945bc1db9b415bbbaa84 Mon Sep 17 00:00:00 2001 From: "Brandon 2: Brandon Harder" <189403278+missingn0pe@users.noreply.github.com> Date: Fri, 15 May 2026 17:28:52 -0500 Subject: [PATCH 01/12] Create rule: Generic Financial Document Template Detects messages with generic 'dear sir/madam' greetings that reference payment releases & timelines, contain links with suspicious hosting or open redirects, and exhibit unusual recipient patterns such as self-sending or missing recipients. --- ...k_financial_document_timeline_template.yml | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 detection-rules/link_financial_document_timeline_template.yml diff --git a/detection-rules/link_financial_document_timeline_template.yml b/detection-rules/link_financial_document_timeline_template.yml new file mode 100644 index 00000000000..d94106cb40b --- /dev/null +++ b/detection-rules/link_financial_document_timeline_template.yml @@ -0,0 +1,71 @@ +name: "Link: Generic financial document and suspicious hosting template" +description: "Detects messages with generic 'dear sir/madam' greetings that reference payment releases & timelines, contain links with suspicious hosting or open redirects, and exhibit unusual recipient patterns such as self-sending or missing recipients." +type: "rule" +severity: "medium" +source: | + type.inbound + // standard generic greeting + and ( + strings.istarts_with(body.current_thread.text, "dear sir/madam") + // expectation of time + and regex.icontains(body.current_thread.text, + 'will be released|\b[1-4].[1-4]\b.{1,10}days?' + ) + ) + // link is malicious + and any(body.links, + // key phrasing or nlu + ( + regex.icontains(.display_text, + '(?:access|view).{0,10}|payment|statement' + ) + or any(ml.nlu_classifier(body.current_thread.text).topics, + .name == "Request to View Invoice" and .confidence != "low" + ) + ) + // suspicious hosting + and ( + .href_url.domain.root_domain in $free_file_hosts + or .href_url.domain.tld in $suspicious_tlds + or .href_url.domain.root_domain not in $tranco_1m + // open redirect + or strings.icontains(.href_url.query_params, '=https') + ) + // negate org domains + and .href_url.domain.valid != false + and .href_url.domain.root_domain not in $org_domains + ) + // suspicious sender behavior + and ( + ( + length(recipients.to) == 1 + and length(recipients.cc) == 0 + and sender.email.email == recipients.to[0].email.email + ) + // no recipient + or ( + ( + length(recipients.to) == 0 + and length(recipients.bcc) == 0 + and length(recipients.cc) == 0 + ) + or any(recipients.to, + strings.ilike(.display_name, "undisclosed?recipients") + ) + ) + ) + +attack_types: + - "BEC/Fraud" + - "Credential Phishing" +tactics_and_techniques: + - "Free file host" + - "Open redirect" + - "Social engineering" + - "Evasion" +detection_methods: + - "Content analysis" + - "Natural Language Understanding" + - "URL analysis" + - "Header analysis" + - "Sender analysis" From a68fc0d514655d0c378e43c8700abcf31b7af00e Mon Sep 17 00:00:00 2001 From: CI Bot Date: Fri, 15 May 2026 22:32:33 +0000 Subject: [PATCH 02/12] Auto-format MQL and add rule IDs --- detection-rules/link_financial_document_timeline_template.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/link_financial_document_timeline_template.yml b/detection-rules/link_financial_document_timeline_template.yml index d94106cb40b..900a8888728 100644 --- a/detection-rules/link_financial_document_timeline_template.yml +++ b/detection-rules/link_financial_document_timeline_template.yml @@ -69,3 +69,4 @@ detection_methods: - "URL analysis" - "Header analysis" - "Sender analysis" +id: "027cb65d-aee3-5f10-9555-20b719bbde42" From 9384da2d92eb56b85e45f5eee0fdc7c27fc77479 Mon Sep 17 00:00:00 2001 From: "Brandon 2: Brandon Harder" <189403278+missingn0pe@users.noreply.github.com> Date: Wed, 3 Jun 2026 11:44:43 -0500 Subject: [PATCH 03/12] Update link_financial_document_timeline_template.yml Few updates: - Removing starting check of strict greeting. - Updating undisclosed recipients to current standard. --- ...k_financial_document_timeline_template.yml | 23 ++++++------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/detection-rules/link_financial_document_timeline_template.yml b/detection-rules/link_financial_document_timeline_template.yml index 900a8888728..92cd4af0d62 100644 --- a/detection-rules/link_financial_document_timeline_template.yml +++ b/detection-rules/link_financial_document_timeline_template.yml @@ -4,14 +4,11 @@ type: "rule" severity: "medium" source: | type.inbound - // standard generic greeting - and ( - strings.istarts_with(body.current_thread.text, "dear sir/madam") - // expectation of time - and regex.icontains(body.current_thread.text, - 'will be released|\b[1-4].[1-4]\b.{1,10}days?' - ) + // expectation of time + and regex.icontains(body.current_thread.text, + 'will be released|\b[1-4].[1-4]\b.{1,10}days?' ) + // link is malicious and any(body.links, // key phrasing or nlu @@ -42,16 +39,10 @@ source: | and length(recipients.cc) == 0 and sender.email.email == recipients.to[0].email.email ) - // no recipient + // the recipient is undisclosed or there are no recipients or ( - ( - length(recipients.to) == 0 - and length(recipients.bcc) == 0 - and length(recipients.cc) == 0 - ) - or any(recipients.to, - strings.ilike(.display_name, "undisclosed?recipients") - ) + length(recipients.to) == 0 + or all(recipients.to, .email.domain.valid == false) ) ) From 902d97c158037f89f1acdbc33cbbc9552b10cfa9 Mon Sep 17 00:00:00 2001 From: "Brandon 2: Brandon Harder" <189403278+missingn0pe@users.noreply.github.com> Date: Wed, 3 Jun 2026 16:29:02 -0500 Subject: [PATCH 04/12] Update link_financial_document_timeline_template.yml Noticed FP's from removing greeting condition. Adding nlu with character limiter to negate FP's and FN's. --- detection-rules/link_financial_document_timeline_template.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/detection-rules/link_financial_document_timeline_template.yml b/detection-rules/link_financial_document_timeline_template.yml index 92cd4af0d62..86831a3e887 100644 --- a/detection-rules/link_financial_document_timeline_template.yml +++ b/detection-rules/link_financial_document_timeline_template.yml @@ -4,6 +4,9 @@ type: "rule" severity: "medium" source: | type.inbound + // nlu filtering + and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "benign") + // expectation of time and regex.icontains(body.current_thread.text, 'will be released|\b[1-4].[1-4]\b.{1,10}days?' @@ -32,6 +35,7 @@ source: | and .href_url.domain.valid != false and .href_url.domain.root_domain not in $org_domains ) + // suspicious sender behavior and ( ( From e6a854f326d20dc2452a4350622bd79e632a7d88 Mon Sep 17 00:00:00 2001 From: "Brandon 2: Brandon Harder" <189403278+missingn0pe@users.noreply.github.com> Date: Wed, 3 Jun 2026 16:33:35 -0500 Subject: [PATCH 05/12] Update link_financial_document_timeline_template.yml Wrong logic committed. This is the correct logic --- .../link_financial_document_timeline_template.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/detection-rules/link_financial_document_timeline_template.yml b/detection-rules/link_financial_document_timeline_template.yml index 86831a3e887..44768021486 100644 --- a/detection-rules/link_financial_document_timeline_template.yml +++ b/detection-rules/link_financial_document_timeline_template.yml @@ -5,7 +5,10 @@ severity: "medium" source: | type.inbound // nlu filtering - and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "benign") + and not ( + any(ml.nlu_classifier(body.current_thread.text).intents, .name == "benign") + and not length(body.current_thread.text) <= 1600 + ) // expectation of time and regex.icontains(body.current_thread.text, From b8a832d865599082a987be2bc64bcb4e71e777dd Mon Sep 17 00:00:00 2001 From: "Brandon 2: Brandon Harder" <189403278+missingn0pe@users.noreply.github.com> Date: Thu, 11 Jun 2026 15:52:56 -0500 Subject: [PATCH 06/12] Update generic financial document template - tighter scope. A few changes after telemetry: - The "will be released" branch now requires a specific date format (day of week + full date) within 15 chars, rather than matching on "will be released" alone. - Tightened [1-4].[1-4] to [1-4]\W[1-4] to mitigate FP's. - Changed display.text triggers - Changed NLU confidence to mitigate scope creep - Additional open redir trigger - Removed goofy nlu filter that was mitigating a miss. New free file host domain will be submitted for remaining misses. --- .../link_financial_document_timeline_template.yml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/detection-rules/link_financial_document_timeline_template.yml b/detection-rules/link_financial_document_timeline_template.yml index 44768021486..baae5412d27 100644 --- a/detection-rules/link_financial_document_timeline_template.yml +++ b/detection-rules/link_financial_document_timeline_template.yml @@ -4,15 +4,9 @@ type: "rule" severity: "medium" source: | type.inbound - // nlu filtering - and not ( - any(ml.nlu_classifier(body.current_thread.text).intents, .name == "benign") - and not length(body.current_thread.text) <= 1600 - ) - // expectation of time and regex.icontains(body.current_thread.text, - 'will be released|\b[1-4].[1-4]\b.{1,10}days?' + 'will be released.{0,15}(?:(Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday),\s+(January|February|March|April|May|June|July|August|September|October|November|December)\s+\d{1,2},)|\b[1-4]\W[1-4]\b.{1,10}days' ) // link is malicious @@ -20,10 +14,10 @@ source: | // key phrasing or nlu ( regex.icontains(.display_text, - '(?:access|view).{0,10}|payment|statement' + '(?:access|show|view).{0,10}(?:confirmation|message|payment|statement)|advice|deposit|document|eft|release|remit' ) or any(ml.nlu_classifier(body.current_thread.text).topics, - .name == "Request to View Invoice" and .confidence != "low" + .name == "Request to View Invoice" and .confidence == "high" ) ) // suspicious hosting @@ -32,7 +26,7 @@ source: | or .href_url.domain.tld in $suspicious_tlds or .href_url.domain.root_domain not in $tranco_1m // open redirect - or strings.icontains(.href_url.query_params, '=https') + or strings.icontains(.href_url.query_params, '=https', 'url=') ) // negate org domains and .href_url.domain.valid != false From 8b942d08fa5b7fc7aad5109dbd11b4faace98074 Mon Sep 17 00:00:00 2001 From: "Brandon 2: Brandon Harder" <189403278+missingn0pe@users.noreply.github.com> Date: Wed, 17 Jun 2026 09:48:20 -0500 Subject: [PATCH 07/12] Update detection-rules/link_financial_document_timeline_template.yml Removing suspicious hosting checks as it is limiting flagging on HTSRD hosting, shorteners & a recently added free file host domain. Co-authored-by: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> --- .../link_financial_document_timeline_template.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/detection-rules/link_financial_document_timeline_template.yml b/detection-rules/link_financial_document_timeline_template.yml index baae5412d27..1b89b448824 100644 --- a/detection-rules/link_financial_document_timeline_template.yml +++ b/detection-rules/link_financial_document_timeline_template.yml @@ -20,14 +20,6 @@ source: | .name == "Request to View Invoice" and .confidence == "high" ) ) - // suspicious hosting - and ( - .href_url.domain.root_domain in $free_file_hosts - or .href_url.domain.tld in $suspicious_tlds - or .href_url.domain.root_domain not in $tranco_1m - // open redirect - or strings.icontains(.href_url.query_params, '=https', 'url=') - ) // negate org domains and .href_url.domain.valid != false and .href_url.domain.root_domain not in $org_domains From 50330e9e1188202f8b598067f56ac99706454111 Mon Sep 17 00:00:00 2001 From: "Brandon 2: Brandon Harder" <189403278+missingn0pe@users.noreply.github.com> Date: Wed, 17 Jun 2026 09:48:51 -0500 Subject: [PATCH 08/12] Update detection-rules/link_financial_document_timeline_template.yml Separating for readability. Co-authored-by: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> --- detection-rules/link_financial_document_timeline_template.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detection-rules/link_financial_document_timeline_template.yml b/detection-rules/link_financial_document_timeline_template.yml index 1b89b448824..4887b7e43a8 100644 --- a/detection-rules/link_financial_document_timeline_template.yml +++ b/detection-rules/link_financial_document_timeline_template.yml @@ -6,7 +6,8 @@ source: | type.inbound // expectation of time and regex.icontains(body.current_thread.text, - 'will be released.{0,15}(?:(Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday),\s+(January|February|March|April|May|June|July|August|September|October|November|December)\s+\d{1,2},)|\b[1-4]\W[1-4]\b.{1,10}days' + 'will be released.{0,15}(?:Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday),\s+(?:January|February|March|April|May|June|July|August|September|October|November|December)\s+\d{1,2},', + '\b[1-4]\W[1-4]\b.{1,10}days' ) // link is malicious From d8d8c93c14a1a6a05523f5cc94bba2b0b5a841ab Mon Sep 17 00:00:00 2001 From: "Brandon 2: Brandon Harder" <189403278+missingn0pe@users.noreply.github.com> Date: Wed, 17 Jun 2026 09:49:35 -0500 Subject: [PATCH 09/12] Update detection-rules/link_financial_document_timeline_template.yml Separating for readability. Co-authored-by: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> --- .../link_financial_document_timeline_template.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/detection-rules/link_financial_document_timeline_template.yml b/detection-rules/link_financial_document_timeline_template.yml index 4887b7e43a8..90cfe93556f 100644 --- a/detection-rules/link_financial_document_timeline_template.yml +++ b/detection-rules/link_financial_document_timeline_template.yml @@ -15,7 +15,13 @@ source: | // key phrasing or nlu ( regex.icontains(.display_text, - '(?:access|show|view).{0,10}(?:confirmation|message|payment|statement)|advice|deposit|document|eft|release|remit' + '(?:access|show|view).{0,10}(?:confirmation|message|payment|statement)', + 'advice', + 'deposit', + 'document', + 'eft', + 'release', + 'remit' ) or any(ml.nlu_classifier(body.current_thread.text).topics, .name == "Request to View Invoice" and .confidence == "high" From 7fbefae0c2cc071a1f350c221b460056bc53d50d Mon Sep 17 00:00:00 2001 From: "Brandon 2: Brandon Harder" <189403278+missingn0pe@users.noreply.github.com> Date: Wed, 17 Jun 2026 10:01:17 -0500 Subject: [PATCH 10/12] Update link_financial_document_timeline_template.yml Updating rule details to reflect changes made. --- .../link_financial_document_timeline_template.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/detection-rules/link_financial_document_timeline_template.yml b/detection-rules/link_financial_document_timeline_template.yml index 90cfe93556f..1886947b107 100644 --- a/detection-rules/link_financial_document_timeline_template.yml +++ b/detection-rules/link_financial_document_timeline_template.yml @@ -1,5 +1,5 @@ -name: "Link: Generic financial document and suspicious hosting template" -description: "Detects messages with generic 'dear sir/madam' greetings that reference payment releases & timelines, contain links with suspicious hosting or open redirects, and exhibit unusual recipient patterns such as self-sending or missing recipients." +name: "Link: Generic financial document with proceedural greeting & timeline template +description: "Detects messages with generic greetings that reference payment releases & timelines, and exhibit unusual recipient patterns such as self-sending or missing recipients." type: "rule" severity: "medium" source: | @@ -50,14 +50,11 @@ attack_types: - "BEC/Fraud" - "Credential Phishing" tactics_and_techniques: - - "Free file host" - - "Open redirect" - "Social engineering" - "Evasion" detection_methods: - "Content analysis" - "Natural Language Understanding" - - "URL analysis" - "Header analysis" - "Sender analysis" id: "027cb65d-aee3-5f10-9555-20b719bbde42" From 9683ae68dbdc226f93481b80d265b1884edf4f2b Mon Sep 17 00:00:00 2001 From: "Brandon 2: Brandon Harder" <189403278+missingn0pe@users.noreply.github.com> Date: Wed, 17 Jun 2026 10:09:46 -0500 Subject: [PATCH 11/12] Update link_financial_document_timeline_template.yml Accidentally deleted " rule in name. --- detection-rules/link_financial_document_timeline_template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/link_financial_document_timeline_template.yml b/detection-rules/link_financial_document_timeline_template.yml index 1886947b107..481fe29964d 100644 --- a/detection-rules/link_financial_document_timeline_template.yml +++ b/detection-rules/link_financial_document_timeline_template.yml @@ -1,4 +1,4 @@ -name: "Link: Generic financial document with proceedural greeting & timeline template +name: "Link: Generic financial document with proceedural greeting & timeline template" description: "Detects messages with generic greetings that reference payment releases & timelines, and exhibit unusual recipient patterns such as self-sending or missing recipients." type: "rule" severity: "medium" From 9e2fb5b012e932f1ce250c2e70bf3f9399303d48 Mon Sep 17 00:00:00 2001 From: "Brandon 2: Brandon Harder" <189403278+missingn0pe@users.noreply.github.com> Date: Wed, 17 Jun 2026 10:16:50 -0500 Subject: [PATCH 12/12] Update link_financial_document_timeline_template.yml Re-corrected the rule name. --- detection-rules/link_financial_document_timeline_template.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/link_financial_document_timeline_template.yml b/detection-rules/link_financial_document_timeline_template.yml index 481fe29964d..3c0fdc37764 100644 --- a/detection-rules/link_financial_document_timeline_template.yml +++ b/detection-rules/link_financial_document_timeline_template.yml @@ -1,4 +1,4 @@ -name: "Link: Generic financial document with proceedural greeting & timeline template" +name: "Link: Generic financial document with proceedural timeline template" description: "Detects messages with generic greetings that reference payment releases & timelines, and exhibit unusual recipient patterns such as self-sending or missing recipients." type: "rule" severity: "medium"