From e3b03d6b3a4e911cf892e8021f665bbf789b73aa Mon Sep 17 00:00:00 2001 From: John Farina Date: Fri, 22 May 2026 15:09:35 -0400 Subject: [PATCH 1/2] Update credential_phishing_one_drive_impersonation.yml --- .../credential_phishing_one_drive_impersonation.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/detection-rules/credential_phishing_one_drive_impersonation.yml b/detection-rules/credential_phishing_one_drive_impersonation.yml index dcf4f9f028c..4bb51baa51a 100644 --- a/detection-rules/credential_phishing_one_drive_impersonation.yml +++ b/detection-rules/credential_phishing_one_drive_impersonation.yml @@ -9,7 +9,8 @@ source: | ( regex.icontains(sender.display_name, '[0o]ne\s?dr[il1]ve') or regex.icontains(sender.email.local_part, '[0o]ne\s?dr[il1]ve') - or 0 < strings.ilevenshtein(strings.replace_confusables(sender.display_name), + or 0 < strings.ilevenshtein(strings.replace_confusables(sender.display_name + ), "one?drive" ) < 2 or any(attachments, @@ -42,7 +43,9 @@ source: | ) ) ) - or regex.imatch(body.current_thread.text, '[0o]ne\s?dr[il1]ve.*') + or regex.imatch(strings.replace_confusables(body.current_thread.text), + '[0o]ne\s?dr[il1]ve.*' + ) // or one drive is in the subject with a freefile host, additional suspicious language, or suspicious display text or ( regex.icontains(strings.replace_confusables(subject.subject), @@ -72,7 +75,7 @@ source: | ) > 0.5 ) ) - + // and body language is med/high confidence cred theft and ( any(ml.nlu_classifier(body.current_thread.text).intents, @@ -97,13 +100,13 @@ source: | ) and coalesce(headers.auth_summary.dmarc.pass, false) ) - + // negate highly trusted sender domains unless they fail DMARC authentication and not ( sender.email.domain.root_domain in $high_trust_sender_root_domains and coalesce(headers.auth_summary.dmarc.pass, false) ) - + // excludes docusign senders that contain "via" in the display name and not ( any(headers.hops, From a64fb2897be8efd34b61e99743633f01af62b70d Mon Sep 17 00:00:00 2001 From: CI Bot Date: Fri, 22 May 2026 19:12:15 +0000 Subject: [PATCH 2/2] Auto-format MQL and add rule IDs --- .../credential_phishing_one_drive_impersonation.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/detection-rules/credential_phishing_one_drive_impersonation.yml b/detection-rules/credential_phishing_one_drive_impersonation.yml index 4bb51baa51a..d469c1d9d78 100644 --- a/detection-rules/credential_phishing_one_drive_impersonation.yml +++ b/detection-rules/credential_phishing_one_drive_impersonation.yml @@ -9,8 +9,7 @@ source: | ( regex.icontains(sender.display_name, '[0o]ne\s?dr[il1]ve') or regex.icontains(sender.email.local_part, '[0o]ne\s?dr[il1]ve') - or 0 < strings.ilevenshtein(strings.replace_confusables(sender.display_name - ), + or 0 < strings.ilevenshtein(strings.replace_confusables(sender.display_name), "one?drive" ) < 2 or any(attachments, @@ -75,7 +74,7 @@ source: | ) > 0.5 ) ) - + // and body language is med/high confidence cred theft and ( any(ml.nlu_classifier(body.current_thread.text).intents, @@ -100,13 +99,13 @@ source: | ) and coalesce(headers.auth_summary.dmarc.pass, false) ) - + // negate highly trusted sender domains unless they fail DMARC authentication and not ( sender.email.domain.root_domain in $high_trust_sender_root_domains and coalesce(headers.auth_summary.dmarc.pass, false) ) - + // excludes docusign senders that contain "via" in the display name and not ( any(headers.hops, @@ -117,7 +116,6 @@ source: | and strings.contains(sender.display_name, "via") ) and not profile.by_sender().any_messages_benign - attack_types: - "Credential Phishing" tactics_and_techniques: