From c5d438e03afba33ecba3a20caa4ccb87c6a9c0e6 Mon Sep 17 00:00:00 2001 From: cw-sublime Date: Wed, 20 May 2026 19:19:12 -0400 Subject: [PATCH 1/4] Update credential_phishing_suspicious_subject_nlu_financial_urgent.yml --- ...uspicious_subject_nlu_financial_urgent.yml | 48 ++++++++++++------- 1 file changed, 31 insertions(+), 17 deletions(-) diff --git a/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml index 88a32985463..a5c24f8d294 100644 --- a/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml +++ b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml @@ -15,13 +15,13 @@ source: | ) ) < 5 ) - + // negate webinar registrations and not any(body.links, .display_text =~ "REGISTER NOW" and .href_url.domain.root_domain == "secureclick.net" ) - + // not all links are unsubscribe links and not all(body.links, ( @@ -33,12 +33,12 @@ source: | and strings.icontains(.href_url.path, "DeactivateAccount") ) ) - + // ignore emails in body and not all(body.links, .href_url.domain.domain in $free_email_providers) and length(body.current_thread.text) < 2000 and length(subject.subject) < 100 - + // and suspicious subject and regex.icontains(subject.subject, // https://github.com/sublime-security/static-files/blob/main/suspicious_subjects_regex.txt @@ -169,7 +169,7 @@ source: | "your (customer )?account .as", "your.office.365", "your.online.access", - + // https://github.com/sublime-security/static-files/blob/main/suspicious_subjects.txt "account has been limited", "action required", @@ -237,35 +237,47 @@ source: | "your document settlement", "your order with amazon", "your password has been compromised", - + "ach? (?:payment|transfer|transaction)", + // cryptocurrency related subjects '\d{1,2}.\d{1,8}\s(BTC|ETH|SOL|(?:USD[CT])|XRP) Offer Waiting for(\sYour)?\sReview', ) - + // language attempting to engage and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request" ) - + // financial request and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial" ) - + // urgency request - and any(ml.nlu_classifier(body.current_thread.text).entities, - .name == "urgency" + and ( + any(ml.nlu_classifier(body.current_thread.text).entities, + .name in ("urgency", "greeting") + ) + and any(ml.nlu_classifier(body.current_thread.text).tags, + .name == "payment" + ) + and any(body.current_thread.links, + regex.icontains(.display_text, + '(?:view|click|download|check|validate\s+(?:bank(?:ing)?|ach|wire|routing)\s+\summary|payment|transaction)' + ) + ) ) - + // org presence and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org") - + // not a reply and ( not strings.istarts_with(subject.subject, "re:") and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + or not length(headers.reply_to) > 0 ) - + // the message is unsolicited and no false positives and ( not profile.by_sender_email().solicited @@ -281,7 +293,7 @@ source: | ) ) ) - + // negate highly trusted sender domains unless they fail DMARC authentication and ( ( @@ -290,14 +302,16 @@ source: | ) or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) - + // negation the only link is the senders email and not ( regex.contains(body.current_thread.text, "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}" ) and ( - all(body.links, .href_url.domain.root_domain == sender.email.domain.domain) + all(body.links, + .href_url.domain.root_domain == sender.email.domain.domain + ) ) ) attack_types: From 65f191349477006357bf86dec97fc563a6b6a00f Mon Sep 17 00:00:00 2001 From: CI Bot Date: Wed, 20 May 2026 23:29:47 +0000 Subject: [PATCH 2/4] Auto-format MQL and add rule IDs --- ...uspicious_subject_nlu_financial_urgent.yml | 36 +++++++++---------- 1 file changed, 16 insertions(+), 20 deletions(-) diff --git a/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml index a5c24f8d294..36b14276ff1 100644 --- a/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml +++ b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml @@ -15,13 +15,13 @@ source: | ) ) < 5 ) - + // negate webinar registrations and not any(body.links, .display_text =~ "REGISTER NOW" and .href_url.domain.root_domain == "secureclick.net" ) - + // not all links are unsubscribe links and not all(body.links, ( @@ -33,12 +33,12 @@ source: | and strings.icontains(.href_url.path, "DeactivateAccount") ) ) - + // ignore emails in body and not all(body.links, .href_url.domain.domain in $free_email_providers) and length(body.current_thread.text) < 2000 and length(subject.subject) < 100 - + // and suspicious subject and regex.icontains(subject.subject, // https://github.com/sublime-security/static-files/blob/main/suspicious_subjects_regex.txt @@ -169,7 +169,7 @@ source: | "your (customer )?account .as", "your.office.365", "your.online.access", - + // https://github.com/sublime-security/static-files/blob/main/suspicious_subjects.txt "account has been limited", "action required", @@ -238,46 +238,44 @@ source: | "your order with amazon", "your password has been compromised", "ach? (?:payment|transfer|transaction)", - + // cryptocurrency related subjects '\d{1,2}.\d{1,8}\s(BTC|ETH|SOL|(?:USD[CT])|XRP) Offer Waiting for(\sYour)?\sReview', ) - + // language attempting to engage and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request" ) - + // financial request and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "financial" ) - + // urgency request and ( any(ml.nlu_classifier(body.current_thread.text).entities, .name in ("urgency", "greeting") ) - and any(ml.nlu_classifier(body.current_thread.text).tags, - .name == "payment" - ) + and any(ml.nlu_classifier(body.current_thread.text).tags, .name == "payment") and any(body.current_thread.links, regex.icontains(.display_text, '(?:view|click|download|check|validate\s+(?:bank(?:ing)?|ach|wire|routing)\s+\summary|payment|transaction)' ) ) ) - + // org presence and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org") - + // not a reply and ( not strings.istarts_with(subject.subject, "re:") and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) or not length(headers.reply_to) > 0 ) - + // the message is unsolicited and no false positives and ( not profile.by_sender_email().solicited @@ -293,7 +291,7 @@ source: | ) ) ) - + // negate highly trusted sender domains unless they fail DMARC authentication and ( ( @@ -302,16 +300,14 @@ source: | ) or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) - + // negation the only link is the senders email and not ( regex.contains(body.current_thread.text, "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}" ) and ( - all(body.links, - .href_url.domain.root_domain == sender.email.domain.domain - ) + all(body.links, .href_url.domain.root_domain == sender.email.domain.domain) ) ) attack_types: From 12149b442b914b69f847d766b64507e1074db87b Mon Sep 17 00:00:00 2001 From: cw-sublime Date: Wed, 20 May 2026 19:38:04 -0400 Subject: [PATCH 3/4] Simplify urgency request logic in phishing detection Refactor urgency request condition in detection rules. --- ...hishing_suspicious_subject_nlu_financial_urgent.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml index 36b14276ff1..0484a905394 100644 --- a/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml +++ b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml @@ -254,17 +254,9 @@ source: | ) // urgency request - and ( - any(ml.nlu_classifier(body.current_thread.text).entities, + and any(ml.nlu_classifier(body.current_thread.text).entities, .name in ("urgency", "greeting") ) - and any(ml.nlu_classifier(body.current_thread.text).tags, .name == "payment") - and any(body.current_thread.links, - regex.icontains(.display_text, - '(?:view|click|download|check|validate\s+(?:bank(?:ing)?|ach|wire|routing)\s+\summary|payment|transaction)' - ) - ) - ) // org presence and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org") From 2fbb837cc8dfe56692dbb5eb9194921849ca7076 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Wed, 20 May 2026 23:39:12 +0000 Subject: [PATCH 4/4] Auto-format MQL and add rule IDs --- ...ntial_phishing_suspicious_subject_nlu_financial_urgent.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml index 0484a905394..6008bfcc386 100644 --- a/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml +++ b/detection-rules/credential_phishing_suspicious_subject_nlu_financial_urgent.yml @@ -255,8 +255,8 @@ source: | // urgency request and any(ml.nlu_classifier(body.current_thread.text).entities, - .name in ("urgency", "greeting") - ) + .name in ("urgency", "greeting") + ) // org presence and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "org")