Create sender_display_name_kindly.yml (#3729)

D-Bolton · ID Generator · web-flow · commit d8ad3f369071 · 2026-01-09T15:13:55.000Z
Co-authored-by: ID Generator &lt;hello@sublimesecurity.com&gt;
diff --git a/detection-rules/sender_display_name_kindly.yml b/detection-rules/sender_display_name_kindly.yml
@@ -0,0 +1,34 @@
+name: "Display name: 'kindly' with urgent language indicators"
+description: "Detects messages where the sender's display name contains 'kindly' combined with urgent action words commonly used in social engineering attacks, such as urgent, ASAP, verify, confirm, or expedite."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and strings.icontains(sender.display_name, "kindly")
+  and (
+    strings.icontains(sender.display_name, 'cell number')
+    or strings.icontains(sender.display_name, 'expedite')
+    or strings.icontains(sender.display_name, 'urgent')
+    or strings.icontains(sender.display_name, 'contact number')
+    or strings.icontains(sender.display_name, 'review')
+    or strings.icontains(sender.display_name, 'confirm')
+    or strings.icontains(sender.display_name, 'ASAP')
+    or strings.icontains(sender.display_name, 'Follow Up')
+    or strings.icontains(sender.display_name, 'nicely')
+    or strings.icontains(sender.display_name, 'btc')
+    or strings.icontains(sender.display_name, 'Reply')
+    or strings.icontains(sender.display_name, 'RESPOND')
+    or strings.icontains(sender.display_name, 'URGENTLY')
+    or strings.icontains(sender.display_name, 'VERIFY')
+    or strings.icontains(sender.display_name, 'convenience')
+    or strings.icontains(sender.display_name, 'Response')
+  )
+
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+detection_methods:
+  - "Sender analysis"
+id: "82ca0ff1-e823-5930-aa2d-7d2b572a528b"
