Skip to content

Add detection rule for AuthentiSign impersonation #3718

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
missingn0pe wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add detection rule for AuthentiSign impersonation #3718

missingn0pe wants to merge 5 commits into from
+69 −0

Conversation

@missingn0pe
Copy link
Member

@missingn0pe missingn0pe commented Dec 29, 2025

This rule detects messages impersonating AuthentiSign based on various criteria, including display name, domain, subject, and body content. It identifies potential phishing and fraud attempts originating from non-AuthentiSign or spoofed domains.

Associated samples

- Sample 1
- Sample 2

Associated hunts

- Hunt 1
- Hunt 2

@missingn0pe
Add detection rule for AuthentiSign impersonation
dec77c9 
This rule detects messages impersonating AuthentiSign based on various criteria, including display name, domain, subject, and body content. It identifies potential phishing and fraud attempts originating from non-AuthentiSign or spoofed domains.
@missingn0pe missingn0pe requested a review from a team as a code owner December 29, 2025 22:42
@missingn0pe
Copy link
Member Author

missingn0pe commented Dec 29, 2025

Requested logo coverage & can add logic after request is complete. Link is behind sendgrid so final dom could help but will need to lean on it after test rules review.

@missingn0pe missingn0pe added the in-test-rules PR is in our testing suite to collect telemetry label Dec 29, 2025
github-actions bot added a commit that referenced this pull request Dec 29, 2025
@github-actions
[PR #3718] added rule: Brand impersonation: AuthentiSign
07aa10c
@missingn0pe
Adding current thread conditions & negations
16f3bf6 
Added RE/FWD negations & additional conditions for current thread.
github-actions bot added a commit that referenced this pull request Dec 31, 2025
@github-actions
[PR #3718] modified rule: Brand impersonation: AuthentiSign
8036a13
@missingn0pe
Update impersonation detection rules in YAML file
c2be9f9 
Switch "sign" string to body.links display text
@github-actions github-actions bot removed the in-test-rules PR is in our testing suite to collect telemetry label Jan 5, 2026
github-actions bot added a commit that referenced this pull request Jan 5, 2026
@github-actions
[PR #3718] Delete detection rule
bd20382
@github-actions github-actions bot added the in-test-rules PR is in our testing suite to collect telemetry label Jan 5, 2026
github-actions bot added a commit that referenced this pull request Jan 5, 2026
@github-actions
[PR #3718] added rule: Brand impersonation: AuthentiSign
fc88285
@missingn0pe
adding simple word check to body.links
6aa85cc 
BE improvement allows to return to simple wording in this case. Leaving obfuscation strings as a failsafe.
@github-actions github-actions bot removed the in-test-rules PR is in our testing suite to collect telemetry label Jan 9, 2026
github-actions bot added a commit that referenced this pull request Jan 9, 2026
@github-actions
[PR #3718] Delete detection rule
965404d
@github-actions github-actions bot added the in-test-rules PR is in our testing suite to collect telemetry label Jan 9, 2026
github-actions bot added a commit that referenced this pull request Jan 9, 2026
@github-actions
[PR #3718] added rule: Brand impersonation: AuthentiSign
3336690
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@missingn0pe