From 27d63493d17fd8d7ffc1945bc1db9b415bbbaa84 Mon Sep 17 00:00:00 2001 From: "Brandon 2: Brandon Harder" <189403278+missingn0pe@users.noreply.github.com> Date: Fri, 15 May 2026 17:28:52 -0500 Subject: [PATCH 1/2] Create rule: Generic Financial Document Template Detects messages with generic 'dear sir/madam' greetings that reference payment releases & timelines, contain links with suspicious hosting or open redirects, and exhibit unusual recipient patterns such as self-sending or missing recipients. --- ...k_financial_document_timeline_template.yml | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 detection-rules/link_financial_document_timeline_template.yml diff --git a/detection-rules/link_financial_document_timeline_template.yml b/detection-rules/link_financial_document_timeline_template.yml new file mode 100644 index 00000000000..d94106cb40b --- /dev/null +++ b/detection-rules/link_financial_document_timeline_template.yml @@ -0,0 +1,71 @@ +name: "Link: Generic financial document and suspicious hosting template" +description: "Detects messages with generic 'dear sir/madam' greetings that reference payment releases & timelines, contain links with suspicious hosting or open redirects, and exhibit unusual recipient patterns such as self-sending or missing recipients." +type: "rule" +severity: "medium" +source: | + type.inbound + // standard generic greeting + and ( + strings.istarts_with(body.current_thread.text, "dear sir/madam") + // expectation of time + and regex.icontains(body.current_thread.text, + 'will be released|\b[1-4].[1-4]\b.{1,10}days?' + ) + ) + // link is malicious + and any(body.links, + // key phrasing or nlu + ( + regex.icontains(.display_text, + '(?:access|view).{0,10}|payment|statement' + ) + or any(ml.nlu_classifier(body.current_thread.text).topics, + .name == "Request to View Invoice" and .confidence != "low" + ) + ) + // suspicious hosting + and ( + .href_url.domain.root_domain in $free_file_hosts + or .href_url.domain.tld in $suspicious_tlds + or .href_url.domain.root_domain not in $tranco_1m + // open redirect + or strings.icontains(.href_url.query_params, '=https') + ) + // negate org domains + and .href_url.domain.valid != false + and .href_url.domain.root_domain not in $org_domains + ) + // suspicious sender behavior + and ( + ( + length(recipients.to) == 1 + and length(recipients.cc) == 0 + and sender.email.email == recipients.to[0].email.email + ) + // no recipient + or ( + ( + length(recipients.to) == 0 + and length(recipients.bcc) == 0 + and length(recipients.cc) == 0 + ) + or any(recipients.to, + strings.ilike(.display_name, "undisclosed?recipients") + ) + ) + ) + +attack_types: + - "BEC/Fraud" + - "Credential Phishing" +tactics_and_techniques: + - "Free file host" + - "Open redirect" + - "Social engineering" + - "Evasion" +detection_methods: + - "Content analysis" + - "Natural Language Understanding" + - "URL analysis" + - "Header analysis" + - "Sender analysis" From a68fc0d514655d0c378e43c8700abcf31b7af00e Mon Sep 17 00:00:00 2001 From: CI Bot Date: Fri, 15 May 2026 22:32:33 +0000 Subject: [PATCH 2/2] Auto-format MQL and add rule IDs --- detection-rules/link_financial_document_timeline_template.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/link_financial_document_timeline_template.yml b/detection-rules/link_financial_document_timeline_template.yml index d94106cb40b..900a8888728 100644 --- a/detection-rules/link_financial_document_timeline_template.yml +++ b/detection-rules/link_financial_document_timeline_template.yml @@ -69,3 +69,4 @@ detection_methods: - "URL analysis" - "Header analysis" - "Sender analysis" +id: "027cb65d-aee3-5f10-9555-20b719bbde42"