From e7a76a4f7fc5ada342910d8d17a9a24f7fba8269 Mon Sep 17 00:00:00 2001
From: "Brandon 2: Brandon Harder"
 <189403278+missingn0pe@users.noreply.github.com>
Date: Mon, 18 May 2026 15:36:45 -0500
Subject: [PATCH] Update regex string in BEC w/ mobile soliciation

Adding "stay connected" to capture discovered FN during unassociated runner.
---
 detection-rules/body_bec_mobile_solicitation.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection-rules/body_bec_mobile_solicitation.yml b/detection-rules/body_bec_mobile_solicitation.yml
index 6cb55871ba9..bc809f41a45 100644
--- a/detection-rules/body_bec_mobile_solicitation.yml
+++ b/detection-rules/body_bec_mobile_solicitation.yml
@@ -16,7 +16,7 @@ source: |
   )
   and length(attachments) == 0
   and regex.icontains(body.current_thread.text,
-                      '(?:mobile|contact|current|reliable).{0,10}(?:phone|number|#|\bno)|whatsapp|\bcell|personalcell|(?:share|what).{0,25}number.{0,15}(?:connect|reach|text|message|contact|call)|(?:\bdrop|which|send.{0,5}your|best).{0,25}(?:number|\bnum\b|#).{0,15}(?:(?:connect|reach|contact|call).{0,5}you|text|message|works?\b)|forward.{0,25}(?:\bnum\b|#)|get (?:your.{0,25}(?:number|\bnum\b|#)|in touch.{0,15}(?:via|by|through).{0,10}(?:text|phone|cell|sms|whatsapp))|(?:provide|confirm|reply.{0,15}with).{0,25}(?:direct|preferred).{0,15}(?:text.?enabled.{0,15})?(?:phone.{0,5})?(?:number|\bnum\b|#|line)|(?:share|send).{0,25}(?:direct|preferred).{0,15}(?:text.?enabled.{0,15})?(?:phone.{0,5})(?:number|\bnum\b|#|line)|(?:share|send).{0,25}preferred.{0,15}(?:text.?enabled.{0,15})?(?:number|\bnum\b|#|line)|(?:direct|preferred).{0,15}line.{0,15}(?:for|to|via).{0,10}(?:text|call|reach|contact|sms)'
+                      '(?:mobile|contact|current|reliable).{0,10}(?:phone|number|#|\bno)|whatsapp|\bcell|personalcell|(?:share|what).{0,25}number.{0,15}(?:connect|reach|text|message|contact|call)|(?:\bdrop|which|send.{0,5}your|best).{0,25}(?:number|\bnum\b|#).{0,15}(?:(?:connect|reach|contact|call).{0,5}you|text|message|works?\b|stay connected)|forward.{0,25}(?:\bnum\b|#)|get (?:your.{0,25}(?:number|\bnum\b|#)|in touch.{0,15}(?:via|by|through).{0,10}(?:text|phone|cell|sms|whatsapp))|(?:provide|confirm|reply.{0,15}with).{0,25}(?:direct|preferred).{0,15}(?:text.?enabled.{0,15})?(?:phone.{0,5})?(?:number|\bnum\b|#|line)|(?:share|send).{0,25}(?:direct|preferred).{0,15}(?:text.?enabled.{0,15})?(?:phone.{0,5})(?:number|\bnum\b|#|line)|(?:share|send).{0,25}preferred.{0,15}(?:text.?enabled.{0,15})?(?:number|\bnum\b|#|line)|(?:direct|preferred).{0,15}line.{0,15}(?:for|to|via).{0,10}(?:text|call|reach|contact|sms)'
   )
   and (
     any(ml.nlu_classifier(body.current_thread.text).intents,
@@ -65,6 +65,7 @@ source: |
     or profile.by_sender().any_messages_malicious_or_spam
   )
   and not profile.by_sender().any_messages_benign
+
 attack_types:
   - "BEC/Fraud"
 tactics_and_techniques: