Skip to content

Create recon_hotel_booking_reply_to_redirect.yml #3797

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JFarina5 wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Create recon_hotel_booking_reply_to_redirect.yml #3797

JFarina5 wants to merge 11 commits into from
+66 −0

Conversation

@JFarina5
Copy link
Member

@JFarina5 JFarina5 commented Jan 16, 2026
edited
Loading

Description

This rule detects smaller messages, that contain a mismatched sender domain and reply-to domain (where the sender domain is a free email provider), and contains hotel/booking related language patterns.

Associated samples

Associated hunts

@JFarina5 JFarina5 requested a review from a team as a code owner January 16, 2026 14:57
@github-actions github-actions bot added the in-test-rules PR is in our testing suite to collect telemetry label Jan 16, 2026
github-actions bot added a commit that referenced this pull request Jan 16, 2026
@github-actions
[PR #3797] added rule: Reconnaissance: Hotel booking reply-to redirect
8c3ca30
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 16, 2026
@github-actions
[PR sublime-security#3797] added rule: PR# 3797 - Reconnaissance: Hot…
4c3928c 
…el booking reply-to redirect
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 16, 2026
@github-actions
[PR sublime-security#3797] added rule: Reconnaissance: Hotel booking …
9f32361 
…reply-to redirect
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 16, 2026
@github-actions
[PR sublime-security#3797] Delete detection rule
f3cc9ef
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 16, 2026
@github-actions
[PR sublime-security#3797] Delete detection rule
d96147f
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 16, 2026
@github-actions
[PR sublime-security#3797] added rule: PR# 3797 - Reconnaissance: Hot…
1088715 
…el booking reply-to redirect
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 16, 2026
@github-actions
[PR sublime-security#3797] added rule: Reconnaissance: Hotel booking …
e61a233 
…reply-to redirect
@JFarina5
Copy link
Member Author

JFarina5 commented Jan 20, 2026

Results for this rule are good, marking r4r

@JFarina5 JFarina5 added the review-needed Indicates that a PR is waiting for review label Jan 20, 2026
zoomequipd
zoomequipd requested changes Jan 21, 2026
View reviewed changes
@JFarina5 JFarina5 removed the review-needed Indicates that a PR is waiting for review label Jan 22, 2026
@github-actions github-actions bot removed the in-test-rules PR is in our testing suite to collect telemetry label Jan 22, 2026
github-actions bot added a commit that referenced this pull request Jan 22, 2026
@github-actions
[PR #3797] Delete detection rule
e354ff6
@github-actions github-actions bot added the in-test-rules PR is in our testing suite to collect telemetry label Jan 22, 2026
github-actions bot added a commit that referenced this pull request Jan 22, 2026
@github-actions
[PR #3797] added rule: Reconnaissance: Hotel booking reply-to redirect
93e5863
github-actions bot added a commit that referenced this pull request Jan 22, 2026
@github-actions
[PR #3797] modified rule: Reconnaissance: Hotel booking reply-to redi…
2224325 
…rect
@JFarina5
Took out NLU logic and updated reply/forward logic
49005b9 
NLU logic was to restrictive, header based logic with keyword search should be enough to reduce false positives.
github-actions bot added a commit that referenced this pull request Jan 23, 2026
@github-actions
[PR #3797] modified rule: Reconnaissance: Hotel booking reply-to redi…
a594912 
…rect
@JFarina5
Improve detection rules for hotel booking replies
2741125 
test-rules is showing FPs already, going to 'and' this logic together to reduce future FPs. Hunt has been updated.
github-actions bot added a commit that referenced this pull request Jan 23, 2026
@github-actions
[PR #3797] modified rule: Reconnaissance: Hotel booking reply-to redi…
65196d1 
…rect
@JFarina5
Update keyword flags based on ngram analysis from hunt results
4fe371c 
Should be final update before review ready. Updated keyword flags and took away requirement for sender to not be from a freemail domain (noticed FN where this was the case). Changes should also tune results to fit the scope of the rule.
@github-actions github-actions bot removed the in-test-rules PR is in our testing suite to collect telemetry label Jan 23, 2026
github-actions bot added a commit that referenced this pull request Jan 23, 2026
@github-actions
[PR #3797] Delete detection rule
78e9ba8
@github-actions github-actions bot added the in-test-rules PR is in our testing suite to collect telemetry label Jan 23, 2026
github-actions bot added a commit that referenced this pull request Jan 23, 2026
@github-actions
[PR #3797] added rule: Reconnaissance: Hotel booking reply-to redirect
b0abb01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoomequipd zoomequipd zoomequipd requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JFarina5 @zoomequipd