From 3e80d6370bb6e041e715ebffc54239fff2d5c18e Mon Sep 17 00:00:00 2001 From: Daniel Bolton Date: Thu, 21 May 2026 10:09:20 -0500 Subject: [PATCH 1/4] title starts with cloud --- detection-rules/link_credential_phishing_cloud_service.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/link_credential_phishing_cloud_service.yml b/detection-rules/link_credential_phishing_cloud_service.yml index 2c4f268f509..5d5a2fae579 100644 --- a/detection-rules/link_credential_phishing_cloud_service.yml +++ b/detection-rules/link_credential_phishing_cloud_service.yml @@ -10,6 +10,7 @@ source: | ) // cloud emoji or regex.contains(body.current_thread.text, '^\x{2601}') + or regex.icontains(body.html.raw, ' ?cloud') ) and any(ml.nlu_classifier(body.current_thread.text).intents, .name == 'cred_theft' and .confidence == 'high' From b1cb73ecd22d8ee8f0333ebfb1364fe854e49edc Mon Sep 17 00:00:00 2001 From: Daniel Bolton <daniel@sublimesecurity.com> Date: Thu, 21 May 2026 13:40:05 -0500 Subject: [PATCH 2/4] look for cloud anywhere in the title --- detection-rules/link_credential_phishing_cloud_service.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/link_credential_phishing_cloud_service.yml b/detection-rules/link_credential_phishing_cloud_service.yml index 5d5a2fae579..a0a2ec569b5 100644 --- a/detection-rules/link_credential_phishing_cloud_service.yml +++ b/detection-rules/link_credential_phishing_cloud_service.yml @@ -10,7 +10,7 @@ source: | ) // cloud emoji or regex.contains(body.current_thread.text, '^\x{2601}') - or regex.icontains(body.html.raw, '<title> ?cloud') + or any(html.xpath(body.html, '//title').nodes, strings.icontains(.raw, 'cloud')) ) and any(ml.nlu_classifier(body.current_thread.text).intents, .name == 'cred_theft' and .confidence == 'high' From 02aedc0ba8060a2849796654b4a1b770f45ebb01 Mon Sep 17 00:00:00 2001 From: CI Bot <hello@sublimesecurity.com> Date: Thu, 21 May 2026 18:41:27 +0000 Subject: [PATCH 3/4] Auto-format MQL and add rule IDs --- detection-rules/link_credential_phishing_cloud_service.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/detection-rules/link_credential_phishing_cloud_service.yml b/detection-rules/link_credential_phishing_cloud_service.yml index a0a2ec569b5..c04d6d00db0 100644 --- a/detection-rules/link_credential_phishing_cloud_service.yml +++ b/detection-rules/link_credential_phishing_cloud_service.yml @@ -10,7 +10,9 @@ source: | ) // cloud emoji or regex.contains(body.current_thread.text, '^\x{2601}') - or any(html.xpath(body.html, '//title').nodes, strings.icontains(.raw, 'cloud')) + or any(html.xpath(body.html, '//title').nodes, + strings.icontains(.raw, 'cloud') + ) ) and any(ml.nlu_classifier(body.current_thread.text).intents, .name == 'cred_theft' and .confidence == 'high' From 93560ef55845c80a048ca299c4f5deda648eb6f4 Mon Sep 17 00:00:00 2001 From: Daniel Bolton <daniel@sublimesecurity.com> Date: Thu, 21 May 2026 16:31:19 -0500 Subject: [PATCH 4/4] reverting back to use title starts with cloud --- detection-rules/link_credential_phishing_cloud_service.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/detection-rules/link_credential_phishing_cloud_service.yml b/detection-rules/link_credential_phishing_cloud_service.yml index c04d6d00db0..5d5a2fae579 100644 --- a/detection-rules/link_credential_phishing_cloud_service.yml +++ b/detection-rules/link_credential_phishing_cloud_service.yml @@ -10,9 +10,7 @@ source: | ) // cloud emoji or regex.contains(body.current_thread.text, '^\x{2601}') - or any(html.xpath(body.html, '//title').nodes, - strings.icontains(.raw, 'cloud') - ) + or regex.icontains(body.html.raw, '<title> ?cloud') ) and any(ml.nlu_classifier(body.current_thread.text).intents, .name == 'cred_theft' and .confidence == 'high'