Skip to content

Create attachment_employment_contract_update.yml#3831

Merged
aidenmitchell merged 5 commits intomainfrom
msadministrator.fn.esc-3262.attachment_employment_update
Jan 28, 2026
Merged

Create attachment_employment_contract_update.yml#3831
aidenmitchell merged 5 commits intomainfrom
msadministrator.fn.esc-3262.attachment_employment_update

Conversation

@MSAdministrator
Copy link
Copy Markdown
Member

@MSAdministrator MSAdministrator commented Jan 23, 2026

Description

Detects messages containing two attachments where one is a PowerPoint file with suspicious character substitution in the filename ('Empl0yment' using zero instead of 'o') and body text claiming an employment contract has been updated.

Associated samples

Associated hunts

@MSAdministrator MSAdministrator requested a review from a team as a code owner January 23, 2026 19:23
@MSAdministrator
Copy link
Copy Markdown
Member Author

MSAdministrator commented Jan 23, 2026

This is related to #3696

@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label Jan 23, 2026
github-actions Bot added a commit that referenced this pull request Jan 23, 2026
@github-actions
[PR #3831] added rule: Attachment: Employment contract update with su…
e88b473 
…spicious file naming
@MSAdministrator MSAdministrator self-assigned this Jan 24, 2026
@MSAdministrator MSAdministrator added the review-needed Indicates that a PR is waiting for review label Jan 24, 2026
zoomequipd
zoomequipd requested changes Jan 27, 2026
View reviewed changes
Comment thread detection-rules/attachment_employment_contract_update.yml Outdated
@MSAdministrator @zoomequipd
Update detection-rules/attachment_employment_contract_update.yml
f790c7a 
Co-authored-by: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
github-actions Bot added a commit that referenced this pull request Jan 27, 2026
@github-actions
[PR #3831] modified rule: Attachment: Employment contract update with…
f2079b0 
… suspicious file naming
@zoomequipd zoomequipd enabled auto-merge January 27, 2026 18:36
@aidenmitchell aidenmitchell added this pull request to the merge queue Jan 28, 2026
Merged via the queue into main with commit 89ac6a8 Jan 28, 2026
2 checks passed
@aidenmitchell aidenmitchell deleted the msadministrator.fn.esc-3262.attachment_employment_update branch January 28, 2026 16:08
github-actions Bot added a commit that referenced this pull request Jan 28, 2026
@github-actions
[PR #3831] Delete detection rule
064122d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoomequipd zoomequipd zoomequipd approved these changes

Assignees

@MSAdministrator MSAdministrator

Labels

in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MSAdministrator @zoomequipd @aidenmitchell