From 9f202bf89f68bca7f6d9576aa5ca4c4d765aab07 Mon Sep 17 00:00:00 2001
From: John Farina <john.f@sublimesecurity.com>
Date: Wed, 20 May 2026 12:46:46 -0400
Subject: [PATCH 1/4] Create brand_impersonation_morgan_stanley.yml

---
 .../brand_impersonation_morgan_stanley.yml    | 76 +++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 detection-rules/brand_impersonation_morgan_stanley.yml

diff --git a/detection-rules/brand_impersonation_morgan_stanley.yml b/detection-rules/brand_impersonation_morgan_stanley.yml
new file mode 100644
index 00000000000..2222c191f76
--- /dev/null
+++ b/detection-rules/brand_impersonation_morgan_stanley.yml
@@ -0,0 +1,76 @@
+name: "Brand impersonation: Morgan Stanley"
+description: "Detects messages impersonating Morgan Stanley that contain multiple indicators of credential theft or callback scams, including references to secure email systems, client service centers, financial advisors, and registration processes. The rule identifies spoofed communications by checking for Morgan Stanley branding elements while excluding legitimate domains."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    strings.ilike(strings.replace_confusables(sender.display_name),
+                  '*morgan stanley*',
+                  '*morganstanley*'
+    )
+    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
+                            'morgan stanley'
+    ) <= 2
+    or any(ml.nlu_classifier(body.current_thread.text).entities,
+           .name in ("org", "sender")
+           and strings.icontains(.text, 'Morgan Stanley')
+    )
+    or strings.icontains(body.current_thread.text,
+                         'secure.emailhelp@morganstanley.com'
+    )
+  )
+  and strings.icontains(body.current_thread.text, "Morgan Stanley")
+  and 2 of (
+    strings.icontains(body.current_thread.text, "Client Service Center"),
+    regex.icontains(body.current_thread.text,
+                    'Financial Advis?or\s*[|/]\s*(?:Portfolio\s+)?Manager'
+    ),
+    regex.icontains(body.current_thread.text, 'Secure (?:E-)?Mail'),
+    strings.icontains(body.current_thread.text, "Click here to view"),
+    strings.icontains(body.current_thread.text, "encrypted messages"),
+    strings.icontains(body.current_thread.text, "1-800-780-0256"),
+    strings.icontains(body.current_thread.text,
+                      "secure.emailhelp@morganstanley.com"
+    ),
+    regex.icontains(body.current_thread.text,
+                    'Morgan Stanley\s+(?:Smith Barney|Wealth Management|\w+\s+Team)'
+    ),
+    strings.icontains(body.current_thread.text, "Member SIPC"),
+    regex.icontains(body.current_thread.text, '©\s*20[0-9]{2}\s*Morgan Stanley'),
+    strings.icontains(body.current_thread.text, "one-time registration"),
+    regex.icontains(body.current_thread.text,
+                    'link will expire on \d{4}-\d{2}-\d{2}'
+    ),
+    any(ml.nlu_classifier(body.current_thread.text).intents,
+        .name in ("cred_theft", "callback_scam") and .confidence == "high"
+    )
+  )
+  and not (
+    sender.email.domain.root_domain in (
+      "morganstanley.com",
+      "morganstanley.net",
+      "ms.com",
+      "etrade.com",
+      "etradefinancial.com",
+      "etrademail.com",
+      "etradefrommorganstanley.com",
+      "smithbarney.com",
+      "morganstanleypwm.com",
+      "morganstanleymufg.com",
+      "msgraystone.com",
+      "msfundservices.com",
+      "ultimusleverpoint.com",
+      "icapitalnetwork.com"
+    )
+    and coalesce(headers.auth_summary.dmarc.pass, false)
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Natural Language Understanding"
+  - "Sender analysis"

From 6761e0c0b457a17f8df4fcc371023b5c3bea08e0 Mon Sep 17 00:00:00 2001
From: CI Bot <hello@sublimesecurity.com>
Date: Wed, 20 May 2026 16:53:27 +0000
Subject: [PATCH 2/4] Auto-format MQL and add rule IDs

---
 detection-rules/brand_impersonation_morgan_stanley.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/brand_impersonation_morgan_stanley.yml b/detection-rules/brand_impersonation_morgan_stanley.yml
index 2222c191f76..d4cba4a0f9b 100644
--- a/detection-rules/brand_impersonation_morgan_stanley.yml
+++ b/detection-rules/brand_impersonation_morgan_stanley.yml
@@ -74,3 +74,4 @@ detection_methods:
   - "Content analysis"
   - "Natural Language Understanding"
   - "Sender analysis"
+id: "3bb49b76-bf8f-598c-9854-7b8f3aadf3df"

From dbf45a6ba785691547629bc7ffddf12f95363d52 Mon Sep 17 00:00:00 2001
From: John Farina <john.f@sublimesecurity.com>
Date: Thu, 21 May 2026 09:32:27 -0400
Subject: [PATCH 3/4] Update brand_impersonation_morgan_stanley.yml

Based on FPs, adding domains to exclusion list
---
 .../brand_impersonation_morgan_stanley.yml    | 22 ++++++++++++-------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/detection-rules/brand_impersonation_morgan_stanley.yml b/detection-rules/brand_impersonation_morgan_stanley.yml
index d4cba4a0f9b..463c2e05bda 100644
--- a/detection-rules/brand_impersonation_morgan_stanley.yml
+++ b/detection-rules/brand_impersonation_morgan_stanley.yml
@@ -48,20 +48,26 @@ source: |
   )
   and not (
     sender.email.domain.root_domain in (
-      "morganstanley.com",
-      "morganstanley.net",
-      "ms.com",
+      "adobesign.com",
+      "docusign.net",
       "etrade.com",
       "etradefinancial.com",
-      "etrademail.com",
       "etradefrommorganstanley.com",
-      "smithbarney.com",
-      "morganstanleypwm.com",
+      "etrademail.com",
+      "icapitalnetwork.com",
+      "morganstanley.com",
+      "morganstanley.net",
+      "morganstanleyatwork.com",
       "morganstanleymufg.com",
-      "msgraystone.com",
+      "morganstanleypwm.com",
+      "ms.com",
       "msfundservices.com",
+      "msgraystone.com",
+      "myworkday.com",
+      "proxyvote.com",
+      "smithbarney.com",
       "ultimusleverpoint.com",
-      "icapitalnetwork.com"
+      "zoom.us"
     )
     and coalesce(headers.auth_summary.dmarc.pass, false)
   )

From 81ee95331478f5c0a0bac95b6532195a477b06f2 Mon Sep 17 00:00:00 2001
From: John Farina <john.f@sublimesecurity.com>
Date: Fri, 22 May 2026 10:32:18 -0400
Subject: [PATCH 4/4] Update brand_impersonation_morgan_stanley.yml

Adding additional root_domain negations
---
 detection-rules/brand_impersonation_morgan_stanley.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/detection-rules/brand_impersonation_morgan_stanley.yml b/detection-rules/brand_impersonation_morgan_stanley.yml
index 463c2e05bda..bc75e6a79c3 100644
--- a/detection-rules/brand_impersonation_morgan_stanley.yml
+++ b/detection-rules/brand_impersonation_morgan_stanley.yml
@@ -54,6 +54,7 @@ source: |
       "etradefinancial.com",
       "etradefrommorganstanley.com",
       "etrademail.com",
+      "fidelity.com",
       "icapitalnetwork.com",
       "morganstanley.com",
       "morganstanley.net",
@@ -67,6 +68,8 @@ source: |
       "proxyvote.com",
       "smithbarney.com",
       "ultimusleverpoint.com",
+      "webcasts.com",
+      "zendesk.com",
       "zoom.us"
     )
     and coalesce(headers.auth_summary.dmarc.pass, false)