Add first_name/last_name concat matching to org_vips sender rules#4513
Open
IndiaAce wants to merge 8 commits into
Open
Add first_name/last_name concat matching to org_vips sender rules#4513IndiaAce wants to merge 8 commits into
IndiaAce wants to merge 8 commits into
Conversation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
github-actions
Bot
added
the
in-test-rules
github-actions Bot
added a commit
that referenced
this pull request
May 20, 2026
…ge (near match, untrusted sender)
github-actions Bot
added a commit
that referenced
this pull request
May 20, 2026
…uest (strict match, untrusted sender)
github-actions Bot
added a commit
that referenced
this pull request
May 20, 2026
… with reply-to mismatch
github-actions Bot
added a commit
that referenced
this pull request
May 20, 2026
…rict match, untrusted)
github-actions Bot
added a commit
to IndiaAce/sublime-rules
that referenced
this pull request
May 20, 2026
… with BEC language (near match, untrusted sender)
github-actions Bot
added a commit
to IndiaAce/sublime-rules
that referenced
this pull request
May 20, 2026
… with invoicing request
github-actions Bot
added a commit
to IndiaAce/sublime-rules
that referenced
this pull request
May 20, 2026
… with urgent request (strict match, untrusted sender)
github-actions Bot
added a commit
to IndiaAce/sublime-rules
that referenced
this pull request
May 20, 2026
… with w2 request with reply-to mismatch
github-actions Bot
added a commit
to IndiaAce/sublime-rules
that referenced
this pull request
May 20, 2026
…mpersonation (strict match, untrusted)
github-actions Bot
added a commit
that referenced
this pull request
May 20, 2026
…with BEC language (near match, untrusted sender)
github-actions Bot
added a commit
that referenced
this pull request
May 20, 2026
…with invoicing request
github-actions Bot
added a commit
that referenced
this pull request
May 20, 2026
…with urgent request (strict match, untrusted sender)
github-actions Bot
added a commit
that referenced
this pull request
May 20, 2026
…with w2 request with reply-to mismatch
github-actions Bot
added a commit
that referenced
this pull request
May 20, 2026
…personation (strict match, untrusted)
rw-access
reviewed
May 20, 2026
Comment on lines
11
to
13
| and not sender.email.domain.root_domain in $high_trust_sender_root_domains | ||
| and not sender.email.domain.root_domain in $org_domains | ||
| and headers.auth_summary.dmarc.pass |
Contributor
There was a problem hiding this comment.
Why are these inside the any($org_vips) check?
…al stripping, revert insights - Remove redundant strings.concat(.first_name, " ", .last_name) checks (already covered by .display_name) - Keep strings.concat(.last_name, ", ", .first_name) for orgs storing VIPs as "Doe, John" - Add regex-based parenthetical stripping for VIP names like "Shelly Chaka (She/her/hers)" - Fix == to =~ for concat checks in vip_impersonation and urgent_request rules - Revert insights/sender/sender_contains_org_vip.yml to main state (out of scope) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
…guage (near match, untrusted sender)
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
…request (strict match, untrusted sender)
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
…est with reply-to mismatch
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
…(strict match, untrusted)
github-actions Bot
added a commit
to IndiaAce/sublime-rules
that referenced
this pull request
May 29, 2026
…ion with BEC language (near match, untrusted sender)
github-actions Bot
added a commit
to IndiaAce/sublime-rules
that referenced
this pull request
May 29, 2026
…ion with invoicing request
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
… impersonation (strict match, untrusted)
The concat(.first_name, " ", .last_name) check already handles parenthetical display names because .first_name/.last_name are stored as clean values. Also fixes == to =~ for concat checks in vip_impersonation and urgent_request. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
github-actions Bot
added a commit
to IndiaAce/sublime-rules
that referenced
this pull request
May 29, 2026
…ion with BEC language (near match, untrusted sender)
github-actions Bot
added a commit
to IndiaAce/sublime-rules
that referenced
this pull request
May 29, 2026
…ion with invoicing request
github-actions Bot
added a commit
to IndiaAce/sublime-rules
that referenced
this pull request
May 29, 2026
…ion with urgent request (strict match, untrusted sender)
github-actions Bot
added a commit
to IndiaAce/sublime-rules
that referenced
this pull request
May 29, 2026
…ion with w2 request with reply-to mismatch
github-actions Bot
added a commit
to IndiaAce/sublime-rules
that referenced
this pull request
May 29, 2026
…e impersonation (strict match, untrusted)
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
…on with BEC language (near match, untrusted sender)
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
…on with invoicing request
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
…on with urgent request (strict match, untrusted sender)
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
…on with w2 request with reply-to mismatch
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
… impersonation (strict match, untrusted)
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
…guage (near match, untrusted sender)
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
…request (strict match, untrusted sender)
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
…est with reply-to mismatch
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
…(strict match, untrusted)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
github-actions Bot
added a commit
that referenced
this pull request
Jun 8, 2026
…on with BEC language (near match, untrusted sender)
github-actions Bot
added a commit
that referenced
this pull request
Jun 8, 2026
…on with invoicing request
github-actions Bot
added a commit
that referenced
this pull request
Jun 8, 2026
…on with urgent request (strict match, untrusted sender)
github-actions Bot
added a commit
that referenced
this pull request
Jun 8, 2026
…on with w2 request with reply-to mismatch
github-actions Bot
added a commit
that referenced
this pull request
Jun 8, 2026
… impersonation (strict match, untrusted)
github-actions Bot
added a commit
that referenced
this pull request
Jun 8, 2026
…guage (near match, untrusted sender)
github-actions Bot
added a commit
that referenced
this pull request
Jun 8, 2026
…request (strict match, untrusted sender)
github-actions Bot
added a commit
that referenced
this pull request
Jun 8, 2026
…est with reply-to mismatch
github-actions Bot
added a commit
that referenced
this pull request
Jun 8, 2026
…(strict match, untrusted)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add alternative name matching logic to org_vips sender-based rules to handle cases where
display_name is stored as "Lastname, Firstname" instead of "Firstname Lastname".
Uses
strings.concat(.first_name, " ", .last_name)andstrings.concat(.last_name, ", ", .first_name)as additional
orconditions inside existingany($org_vips, ...)blocks.This is a test rule deployment to assess impact magnitude.
Affected rules
impersonation_vip_bec_loose.ymlvip_impersonation.ymlimpersonation_vip_urgent_request.ymlimpersonation_vip_invoicing_request.ymlimpersonation_vip_w2_request.ymlsender_contains_org_vip.yml(insight)Associated samples
N/A - validation only (no TP canonical available)
Associated hunts
TBD - will be run after test rule deployment