Skip to content

Create rule: Generic Financial Document Template#4498

Open
missingn0pe wants to merge 2 commits into
mainfrom
missingn0pe.fn.ESC-13584.new_rule_generic_financials_template
Open

Create rule: Generic Financial Document Template#4498
missingn0pe wants to merge 2 commits into
mainfrom
missingn0pe.fn.ESC-13584.new_rule_generic_financials_template

Conversation

@missingn0pe
Copy link
Copy Markdown
Member

@missingn0pe missingn0pe commented May 15, 2026

Description

Detects messages with generic 'dear sir/madam' greetings that reference payment releases & timelines, contain links with suspicious hosting or open redirects, and exhibit unusual recipient patterns such as self-sending or missing recipients.

Associated samples

- Sample 1

Associated hunts

- Hunt 1 (Shared Samples)
- Hunt 2 (Multi-hunt)

@missingn0pe
Create rule: Generic Financial Document Template
27d6349 
Detects messages with generic 'dear sir/madam' greetings that reference payment releases & timelines, contain links with suspicious hosting or open redirects, and exhibit unusual recipient patterns such as self-sending or missing recipients.
@missingn0pe missingn0pe requested a review from a team May 15, 2026 22:31
@missingn0pe missingn0pe requested a review from a team as a code owner May 15, 2026 22:31
@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label May 15, 2026
github-actions Bot added a commit that referenced this pull request May 15, 2026
@github-actions
[Test Rules] [PR #4498] added rule: Link: Generic financial document …
0b3e8be 
…and suspicious hosting template
github-actions Bot added a commit that referenced this pull request May 15, 2026
@github-actions
[Shared Samples] [PR #4498] added rule: PR# 4498 - Link: Generic fina…
4e6f336 
…ncial document and suspicious hosting template
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 19, 2026
@github-actions
[Test Rules] [PR sublime-security#4498] added rule: Link: Generic fin…
8046cd1 
…ancial document and suspicious hosting template
@missingn0pe
Copy link
Copy Markdown
Member Author

missingn0pe commented May 22, 2026

Telemetry looks good. Low volume TTP but viable. 4 net new samps over L90D, good detection in depth.

One observable - There is similar style rule that matches after a few changes, but only hits 2 of the 91 samps flagged in this PR over L90D, this PR does not lean on profiles, and is a very specific pattern.

- Hunt 1 L90D (Shared Samps)
- Hunt 2 L30D (Multi-hunt)

@missingn0pe missingn0pe added the review-needed Indicates that a PR is waiting for review label May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@missingn0pe