Skip to content

Create attachment_pdf_file_banking_payment_from_freemail.yml #3661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
MSAdministrator wants to merge 12 commits into from
Closed

Create attachment_pdf_file_banking_payment_from_freemail.yml #3661

MSAdministrator wants to merge 12 commits into from
+68 −0

Conversation

@MSAdministrator
Copy link
Member

@MSAdministrator MSAdministrator commented Dec 12, 2025
edited
Loading

Description

Adding a new rule for coverage of PDFs used for banking/transfer from a freemail provider.

Detects PDF attachments containing banking terminology such as SWIFT codes, account numbers, and payment references from free email providers. These attachments often contain fraudulent payment instructions or fake banking documents used in business email compromise attacks.

Associated samples

Associated hunts

@MSAdministrator MSAdministrator self-assigned this Dec 12, 2025
@MSAdministrator MSAdministrator requested a review from a team as a code owner December 12, 2025 16:38
@MSAdministrator MSAdministrator added the in-test-rules PR is in our testing suite to collect telemetry label Dec 12, 2025
github-actions bot added a commit that referenced this pull request Dec 12, 2025
@github-actions
[PR #3661] added rule: Attachment: PDF with banking and payment refer…
759d074 
…ences from freemail sender
@MSAdministrator
Copy link
Member Author

MSAdministrator commented Dec 16, 2025

New Hunt

@MSAdministrator MSAdministrator added the review-needed Indicates that a PR is waiting for review label Dec 16, 2025
@IndiaAce
Copy link
Member

IndiaAce commented Dec 18, 2025

I'm seeing a lot of telemetry in test rules that is marked likely benign here, I'm unable to load the sample sets to SWS but I think this might need some revision. I'm going to remove the review-needed label

@IndiaAce IndiaAce removed the review-needed Indicates that a PR is waiting for review label Dec 18, 2025
This was referenced Dec 19, 2025
Closed
Closed
github-actions bot added a commit that referenced this pull request Dec 19, 2025
@github-actions
[PR #3661] modified rule: Attachment: PDF with banking and payment re…
69dc97b 
…ferences from freemail sender
github-actions bot added a commit that referenced this pull request Dec 22, 2025
@github-actions
[PR #3661] modified rule: Attachment: PDF with banking and payment re…
98aece0 
…ferences from freemail sender
@MSAdministrator MSAdministrator added the review-needed Indicates that a PR is waiting for review label Dec 29, 2025
zoomequipd
zoomequipd requested changes Jan 8, 2026
View reviewed changes
@zoomequipd
Copy link
Member

zoomequipd commented Jan 8, 2026

beyond the suggested changes, where are mostly syntax based, the rule appears to match on a bunch of benign samples.

going to remove the review-needed label until benign matches are addressed

@zoomequipd zoomequipd removed the review-needed Indicates that a PR is waiting for review label Jan 8, 2026
github-actions bot added a commit that referenced this pull request Jan 12, 2026
@github-actions
[PR #3661] modified rule: Attachment: PDF with banking and payment re…
7c51ff0 
…ferences from freemail sender
github-actions bot added a commit that referenced this pull request Jan 12, 2026
@github-actions
[PR #3661] modified rule: Attachment: PDF with banking and payment re…
9040f95 
…ferences from freemail sender
@MSAdministrator
Copy link
Member Author

MSAdministrator commented Jan 12, 2026

Mode results look good

@MSAdministrator MSAdministrator added the review-needed Indicates that a PR is waiting for review label Jan 12, 2026
github-actions bot added a commit that referenced this pull request Jan 12, 2026
@github-actions
[PR #3661] Delete detection rule
63527f9
github-actions bot added a commit that referenced this pull request Jan 12, 2026
@github-actions
[PR #3661] Delete detection rule
b3ea6f4
github-actions bot added a commit that referenced this pull request Jan 12, 2026
@github-actions
[PR #3661] Delete detection rule
6da0cfa
IndiaAce
IndiaAce requested changes Jan 13, 2026
View reviewed changes
Copy link
Member

@IndiaAce IndiaAce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one very small nit and something I noticed with your regex... other than that I think this looks good to me!

github-actions bot added a commit that referenced this pull request Jan 14, 2026
@github-actions
[PR #3661] modified rule: Attachment: PDF with banking and payment re…
508ec08 
…ferences from freemail sender
@IndiaAce
Copy link
Member

IndiaAce commented Jan 14, 2026

I'm curious if the regex change is going to have larger impact, I'm going to remove r4r until we get some telemetry in test-ruels

@IndiaAce IndiaAce removed the review-needed Indicates that a PR is waiting for review label Jan 14, 2026
@MSAdministrator MSAdministrator added the review-needed Indicates that a PR is waiting for review label Jan 15, 2026
zoomequipd
zoomequipd requested changes Jan 16, 2026
View reviewed changes
detection-rules/attachment_pdf_file_banking_payment_from_freemail.yml
)
// or any defined org brands like: first.last.sublime@freemail
or any($org_slds, strings.icontains(sender.email.local_part, .))
or any($org_brand_names, strings.icontains(sender.email.local_part, .))
Copy link
Member

@zoomequipd zoomequipd Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

idk the intention of org_brand_names would be common here.

I"m thinking of things like my company org_sld is tcitruck but my entry in org_brand_names is Traffic Consultants Inc

github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 16, 2026
@github-actions
[PR sublime-security#3661] added rule: PR# 3661 - Attachment: PDF wit…
df53814 
…h banking and payment references from freemail sender
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 16, 2026
@github-actions
[PR sublime-security#3661] added rule: Attachment: PDF with banking a…
41ab058 
…nd payment references from freemail sender
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 16, 2026
@github-actions
[PR sublime-security#3661] Delete detection rule
49b86de
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 16, 2026
@github-actions
[PR sublime-security#3661] Delete detection rule
c282ede
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 16, 2026
@github-actions
[PR sublime-security#3661] added rule: PR# 3661 - Attachment: PDF wit…
026bfcb 
…h banking and payment references from freemail sender
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 16, 2026
@github-actions
[PR sublime-security#3661] added rule: Attachment: PDF with banking a…
f56bccb 
…nd payment references from freemail sender
@MSAdministrator MSAdministrator requested a review from a team as a code owner January 20, 2026 15:35
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 20, 2026
@github-actions
[PR sublime-security#3661] modified rule: PR# 3661 - Attachment: PDF …
889f263 
…with banking and payment references from freemail sender
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 20, 2026
@github-actions
[PR sublime-security#3661] modified rule: Attachment: PDF with bankin…
bdfdc3a 
…g and payment references from freemail sender
github-actions bot added a commit that referenced this pull request Jan 20, 2026
@github-actions
[PR #3661] modified rule: Attachment: PDF with banking and payment re…
0e4aa75 
…ferences from freemail sender
@MSAdministrator
Copy link
Member Author

MSAdministrator commented Jan 21, 2026

I'm closing this one in favor of this newer rule #3809

github-actions bot added a commit that referenced this pull request Jan 21, 2026
@github-actions
[PR #3661] Delete detection rule
aacd45b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoomequipd zoomequipd zoomequipd requested changes

@IndiaAce IndiaAce Awaiting requested review from IndiaAce

Assignees

@MSAdministrator MSAdministrator

Labels

in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@MSAdministrator @IndiaAce @zoomequipd @aidenmitchell