From a6f46f19a307c64eb9acfbdf3ef68f569002d652 Mon Sep 17 00:00:00 2001
From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com>
Date: Wed, 20 May 2026 18:57:45 -0500
Subject: [PATCH 1/4] Update impersonation_benefits_enrollment.yml

---
 detection-rules/impersonation_benefits_enrollment.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml
index 389ace3143e..06b879cfba6 100644
--- a/detection-rules/impersonation_benefits_enrollment.yml
+++ b/detection-rules/impersonation_benefits_enrollment.yml
@@ -17,7 +17,8 @@ source: |
                     'healthcare (choice|selection|opt.?in)',
                     '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
                     'dependent (coverage|verification)',
-                    '(health|dental|vision|insurance|medical) enrol{1,2}ment'
+                    '(health|dental|vision|insurance|medical) enrol{1,2}ment',
+                    'employee\srewards'
     )
     or regex.icontains(body.current_thread.text,
                        'benefit(s)? (plan|choice|selection|deadline|period)',

From c936e90b20b4102046c60ddb50279968b282f3ee Mon Sep 17 00:00:00 2001
From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com>
Date: Thu, 21 May 2026 10:08:33 -0500
Subject: [PATCH 2/4] Update impersonation_benefits_enrollment.yml


From 5e0c283aa0c82eb6ba6c4cebdceecd644fac476d Mon Sep 17 00:00:00 2001
From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com>
Date: Thu, 21 May 2026 10:09:32 -0500
Subject: [PATCH 3/4] Update impersonation_benefits_enrollment.yml

Updating subject regex to match this [sample](https://platform.sublime.security/messages/506b7ca554cdb267d2a7dcbd5c1c2f067b96fa2a45e4354596f0f76fdb407871?preview_id=019e40fc-59c7-77df-9b5f-f9c93842a493)
---
 detection-rules/impersonation_benefits_enrollment.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml
index 06b879cfba6..3ae30caeae2 100644
--- a/detection-rules/impersonation_benefits_enrollment.yml
+++ b/detection-rules/impersonation_benefits_enrollment.yml
@@ -18,7 +18,8 @@ source: |
                     '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
                     'dependent (coverage|verification)',
                     '(health|dental|vision|insurance|medical) enrol{1,2}ment',
-                    'employee\srewards'
+                    'employee\srewards',
+                    'allowance\sadjustment'
     )
     or regex.icontains(body.current_thread.text,
                        'benefit(s)? (plan|choice|selection|deadline|period)',

From f48d4c4bbb8cd85a41e08c73546a3be51cacb22d Mon Sep 17 00:00:00 2001
From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com>
Date: Thu, 21 May 2026 10:20:18 -0500
Subject: [PATCH 4/4] Update impersonation_benefits_enrollment.yml

Updated to include another condition for qr attachments. Here's  a [hunt](https://platform.sublime.security/messages/hunt?huntId=019e4b1d-c40d-7298-8871-09a441d0515f) negating the current rule vs. this addition
---
 .../impersonation_benefits_enrollment.yml     | 24 ++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml
index 3ae30caeae2..dc83ca0cb39 100644
--- a/detection-rules/impersonation_benefits_enrollment.yml
+++ b/detection-rules/impersonation_benefits_enrollment.yml
@@ -19,7 +19,7 @@ source: |
                     'dependent (coverage|verification)',
                     '(health|dental|vision|insurance|medical) enrol{1,2}ment',
                     'employee\srewards',
-                    'allowance\sadjustment'
+                    'allowance\s(adjustment|modification)'
     )
     or regex.icontains(body.current_thread.text,
                        'benefit(s)? (plan|choice|selection|deadline|period)',
@@ -73,6 +73,28 @@ source: |
                   )
           )
       )
+    ),
+    any(filter(attachments,
+               .file_type in $file_types_images
+               or .file_extension in $file_extensions_macros
+               or .file_type == "pdf"
+        ),
+        any(filter(file.explode(.),
+                   .scan.qr.type == "url"
+                   and any(recipients.to,
+                           .email.domain.valid
+                           and (
+                             strings.icontains(..scan.qr.url.url, .email.email)
+                             or any(beta.scan_base64(..scan.qr.url.url,
+                                                     format="url"
+                                    ),
+                                    strings.icontains(., ..email.email)
+                             )
+                           )
+                   )
+            ),
+            .scan.qr.url.url is not null
+        )
     )
   )
   // negate replies