From 7f622256b2ef5e84cf4b87c014fb89db3918aa43 Mon Sep 17 00:00:00 2001 From: cw-sublime Date: Thu, 21 May 2026 18:56:57 -0400 Subject: [PATCH 1/2] Refactor keywords in Cloud service with credential theft language Hunting: https://platform.sublime.security/messages/hunt?huntId=019e4cab-0eb5-7622-818a-273aeb975411 --- detection-rules/link_credential_phishing_cloud_service.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/detection-rules/link_credential_phishing_cloud_service.yml b/detection-rules/link_credential_phishing_cloud_service.yml index 2c4f268f509..5521b661ee2 100644 --- a/detection-rules/link_credential_phishing_cloud_service.yml +++ b/detection-rules/link_credential_phishing_cloud_service.yml @@ -1,12 +1,13 @@ -name: "Link: Cloud service with credential theft language" -description: "Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji, contains links to external domains not matching the sender's domain, and lacks recipient identification entities." +name: "Impersonation Link: Cloud branding service with credential theft language" +description: "Detects messages impersonating cloud services that contain high-confidence credential theft language and file sharing topics. The message starts with 'Cloud' or a cloud emoji or Cloud+ text, contains links to external domains not matching the sender's domain, and lacks recipient identification entities." type: "rule" severity: "medium" source: | type.inbound and ( any([body.current_thread.text, body.html.inner_text], - strings.starts_with(., 'Cloud') + strings.starts_with(., 'Cloud') + or strings.icontains(., "Cloud+") ) // cloud emoji or regex.contains(body.current_thread.text, '^\x{2601}') From 612fecdc03e8d8f2795a3e5b92fbb1f600d5a57e Mon Sep 17 00:00:00 2001 From: CI Bot Date: Thu, 21 May 2026 23:01:10 +0000 Subject: [PATCH 2/2] Auto-format MQL and add rule IDs --- detection-rules/link_credential_phishing_cloud_service.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/detection-rules/link_credential_phishing_cloud_service.yml b/detection-rules/link_credential_phishing_cloud_service.yml index 5521b661ee2..525ea90f1f8 100644 --- a/detection-rules/link_credential_phishing_cloud_service.yml +++ b/detection-rules/link_credential_phishing_cloud_service.yml @@ -6,8 +6,7 @@ source: | type.inbound and ( any([body.current_thread.text, body.html.inner_text], - strings.starts_with(., 'Cloud') - or strings.icontains(., "Cloud+") + strings.starts_with(., 'Cloud') or strings.icontains(., "Cloud+") ) // cloud emoji or regex.contains(body.current_thread.text, '^\x{2601}')