Skip to content

Refactor keywords in Cloud service with credential theft language#4527

Open
cybher0808 wants to merge 2 commits into
mainfrom
cybher0808.fn.esc-13941.cloudservice
Open

Refactor keywords in Cloud service with credential theft language#4527
cybher0808 wants to merge 2 commits into
mainfrom
cybher0808.fn.esc-13941.cloudservice

Conversation

@cybher0808
Copy link
Copy Markdown
Member

@cybher0808 cybher0808 commented May 21, 2026
edited
Loading

Description

Finding additional keywords that also contains a string text - "Cloud+"

Associated samples

Associated hunts

@cybher0808 cybher0808 requested a review from a team May 21, 2026 23:00
@cybher0808 cybher0808 requested a review from a team as a code owner May 21, 2026 23:00
@cybher0808 cybher0808 self-assigned this May 21, 2026
@cybher0808 cybher0808 added the in-test-rules PR is in our testing suite to collect telemetry label May 21, 2026
github-actions Bot added a commit that referenced this pull request May 21, 2026
@github-actions
[Shared Samples] [PR #4527] added rule: PR# 4527 - Impersonation Link…
c5a4527 
…: Cloud branding service with credential theft language
github-actions Bot added a commit that referenced this pull request May 21, 2026
@github-actions
[Test Rules] [PR #4527] added rule: Impersonation Link: Cloud brandin…
04fbd6c 
…g service with credential theft language
@cybher0808
Copy link
Copy Markdown
Member Author

cybher0808 commented May 22, 2026
edited
Loading

Telemetry looks sweet with about 99.81% of malicious/FN's.

  • There is 1 email labeled benign from this hunt that looks weird or is it just me??? -
    This email - the end of the email looks weird compared the rest of the emails from this sender. See my notes in ESC for further details.

  • Ran the latest hunt 1D span - today@5/22/2026

Marking for R4R.

@cybher0808 cybher0808 added the review-needed Indicates that a PR is waiting for review label May 22, 2026
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 22, 2026
@github-actions
[Test Rules] [PR sublime-security#4527] added rule: Impersonation Lin…
ae4b6e6 
…k: Cloud branding service with credential theft language
@IndiaAce
Copy link
Copy Markdown
Member

IndiaAce commented May 22, 2026

It's for sure a strange email but I would still call it a false positive for this rule as it's not within the scope of this rule. Something you might consider adding is a check for Cloud+ not being followed by the word unsubscribe without a space? Or we can ignore it. I ran a 180 day hunt in shared samples and only say this 1 message with cloud+unsubscribe. Down for whatever here just lmk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@cybher0808 cybher0808

Labels

in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cybher0808 @IndiaAce