From 837564ccbfd640e4db6ab91ce13c801ddd1bd552 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Fri, 29 May 2026 11:58:16 -0500 Subject: [PATCH 1/4] Update recon_short_generic_greeting.yml --- .../recon_short_generic_greeting.yml | 38 +++++++++++-------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/detection-rules/recon_short_generic_greeting.yml b/detection-rules/recon_short_generic_greeting.yml index 373f246438e..3a1c38726ae 100644 --- a/detection-rules/recon_short_generic_greeting.yml +++ b/detection-rules/recon_short_generic_greeting.yml @@ -42,28 +42,36 @@ source: | // no attachments or links and length(attachments) == 0 and length(body.current_thread.links) == 0 - // negate sender profiles completely if auth is failing + + // not where the sender and mailbox display_anames indicate this might be a personal email --> work email + // impersonation is covered by other core feed rules + and not ( + sum([length(recipients.to), length(recipients.bcc), length(recipients.cc)]) == 1 + and strings.icontains(sender.display_name, mailbox.first_name) + and strings.icontains(sender.display_name, mailbox.last_name) + ) + and ( - ( - not ( - coalesce(headers.auth_summary.dmarc.pass, false) - or headers.auth_summary.spf.pass == false - ) + // auth failed (or absent) - ignore the profile + coalesce(headers.auth_summary.dmarc.pass, false) == false + or coalesce(headers.auth_summary.spf.pass, false) == false + // auth passed - use the profile + or ( + // no benign messages + not profile.by_sender_email().any_messages_benign and ( - not profile.by_sender().solicited - or ( - profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_messages_benign + // not soliticed OR common + not ( + profile.by_sender_email().solicited + or profile.by_sender_email().prevalence == "common" ) + // or HAS been spam_malicious + or profile.by_sender_email().any_messages_malicious_or_spam ) - and not profile.by_sender().any_messages_benign - ) - or ( - coalesce(headers.auth_summary.dmarc.pass, false) - or headers.auth_summary.spf.pass == false ) ) + tags: - "Attack surface reduction" attack_types: From ede71fcf8480c7b7799522b852a8b2e50dca1330 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Fri, 29 May 2026 17:03:39 +0000 Subject: [PATCH 2/4] Auto-format MQL and add rule IDs --- detection-rules/recon_short_generic_greeting.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/detection-rules/recon_short_generic_greeting.yml b/detection-rules/recon_short_generic_greeting.yml index 3a1c38726ae..5538fb33ceb 100644 --- a/detection-rules/recon_short_generic_greeting.yml +++ b/detection-rules/recon_short_generic_greeting.yml @@ -42,7 +42,7 @@ source: | // no attachments or links and length(attachments) == 0 and length(body.current_thread.links) == 0 - + // not where the sender and mailbox display_anames indicate this might be a personal email --> work email // impersonation is covered by other core feed rules and not ( @@ -50,7 +50,6 @@ source: | and strings.icontains(sender.display_name, mailbox.first_name) and strings.icontains(sender.display_name, mailbox.last_name) ) - and ( // auth failed (or absent) - ignore the profile coalesce(headers.auth_summary.dmarc.pass, false) == false @@ -70,8 +69,6 @@ source: | ) ) ) - - tags: - "Attack surface reduction" attack_types: From a0f271104707a6436c21759c51c05350d22a11c2 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Fri, 29 May 2026 14:10:48 -0500 Subject: [PATCH 3/4] handle null sender.display_name and mailbox elements --- detection-rules/recon_short_generic_greeting.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/detection-rules/recon_short_generic_greeting.yml b/detection-rules/recon_short_generic_greeting.yml index 5538fb33ceb..c714f318575 100644 --- a/detection-rules/recon_short_generic_greeting.yml +++ b/detection-rules/recon_short_generic_greeting.yml @@ -47,8 +47,10 @@ source: | // impersonation is covered by other core feed rules and not ( sum([length(recipients.to), length(recipients.bcc), length(recipients.cc)]) == 1 - and strings.icontains(sender.display_name, mailbox.first_name) - and strings.icontains(sender.display_name, mailbox.last_name) + // use coalesce to deal with either the sender.display_name or the mailbox element being null + // if either are null, the function returns false, as it cannot be true if either is null + and coalesce(strings.icontains(sender.display_name, mailbox.first_name), false) + and coalesce(strings.icontains(sender.display_name, mailbox.last_name), false) ) and ( // auth failed (or absent) - ignore the profile From c190842342fa76c9a83a0d5307693c8fd8cffe29 Mon Sep 17 00:00:00 2001 From: CI Bot Date: Fri, 29 May 2026 19:12:17 +0000 Subject: [PATCH 4/4] Auto-format MQL and add rule IDs --- detection-rules/recon_short_generic_greeting.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/detection-rules/recon_short_generic_greeting.yml b/detection-rules/recon_short_generic_greeting.yml index c714f318575..6456f9434a2 100644 --- a/detection-rules/recon_short_generic_greeting.yml +++ b/detection-rules/recon_short_generic_greeting.yml @@ -49,7 +49,9 @@ source: | sum([length(recipients.to), length(recipients.bcc), length(recipients.cc)]) == 1 // use coalesce to deal with either the sender.display_name or the mailbox element being null // if either are null, the function returns false, as it cannot be true if either is null - and coalesce(strings.icontains(sender.display_name, mailbox.first_name), false) + and coalesce(strings.icontains(sender.display_name, mailbox.first_name), + false + ) and coalesce(strings.icontains(sender.display_name, mailbox.last_name), false) ) and (