Update link_credential_phishing_voicemail_language.yml (#3473)

Author: aidenmitchell

detection-rules/link_credential_phishing_voicemail_language.yml

@@ -35,6 +35,13 @@ source: |
                         // obfuscated phone number with at least one digit in the prefix
                         // XXX-555-5555, XXX-5XX-XXXX
                         '\b1?\(?(\d{2}[\*X]|\d[\*X]{2}|[\*X]{2,3})\)?[^a-z0-9]{0,2}(\d{2,3}|\d{2}[\*X]|\d[\*X]{2})[^a-z0-9]{0,4}(\d{4}|\d{3}[\*X]|\d{2}[\*X]{2}|\d[\*X]{3}|[\*X]{3,4})\b',
+                        // obfuscated voicemail/voicemessage keywords
+                        'v[o0][il1]ce[\s\-_]?m(?:ail|sg|essage)?[\*X\.\-_]{2,}',
+                        'v[o0][il1]cem[\*X\.\-_]{2,}',
+                        // "X new voice..." patterns
+                        '\d+\s+new.*v[o0][il1]ce(?:mail|message|m[\*]+)?',
+                        // sent-message patterns
+                        '(?:sent|new|incoming)[\s\-]+message.*v[o0][il1]ce',
         )
     )
     // body.current_thread.text inspection should be very specific to avoid FP