From d8a4632378442807389e5307a0bea8e7693e0f33 Mon Sep 17 00:00:00 2001
From: "Brandon 2: Brandon Harder"
 <189403278+missingn0pe@users.noreply.github.com>
Date: Mon, 18 May 2026 12:23:18 -0500
Subject: [PATCH] Update Emp Imp Payroll Fraud rule to look for SDN in subject
 as well

Adding an or statement to look for org display name in the subject line.
---
 detection-rules/impersonation_employee_payroll_fraud.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/detection-rules/impersonation_employee_payroll_fraud.yml b/detection-rules/impersonation_employee_payroll_fraud.yml
index 2fcc2f974c0..fb5b741a301 100644
--- a/detection-rules/impersonation_employee_payroll_fraud.yml
+++ b/detection-rules/impersonation_employee_payroll_fraud.yml
@@ -6,10 +6,12 @@ type: "rule"
 severity: "high"
 source: |
   type.inbound
-
   // ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
   and strings.contains(sender.display_name, " ")
-  and sender.display_name in~ $org_display_names
+  and (
+    sender.display_name in~ $org_display_names
+    or subject.base in~ $org_display_names
+  )
   and length(attachments) == 0
   and length(body.links) < 10
   and length(body.current_thread.text) < 800