Skip to content

Refine regex patterns for document sharing detection#3871

Merged
peterdj45 merged 4 commits intomainfrom
peter.fn.cred_phishing_generic_document_sharing
Feb 5, 2026
Merged

Refine regex patterns for document sharing detection#3871
peterdj45 merged 4 commits intomainfrom
peter.fn.cred_phishing_generic_document_sharing

Conversation

@peterdj45
Copy link
Copy Markdown
Member

@peterdj45 peterdj45 commented Jan 27, 2026
edited
Loading

@peterdj45 peterdj45 requested a review from a team as a code owner January 27, 2026 03:18
@github-actions github-actions Bot added test-rules:excluded:link_analysis Link analysis in rule, excluding from test rules hunting-required Hunts needed to validate rule efficacy labels Jan 27, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jan 28, 2026

Test Rules Sync - Excluded

This PR contains rules that use ml.link_analysis, which is not supported in the test-rules environment.

The hunting-required label has been applied. These rules will need to be tested through alternative methods.

github-actions Bot added a commit that referenced this pull request Jan 28, 2026
@github-actions
[PR #3871] added rule: PR# 3871 - Credential phishing: Generic docume…
ad8b462 
…nt sharing
@peterdj45
Copy link
Copy Markdown
Member Author

peterdj45 commented Feb 3, 2026

hunts look good, results in ESC-6610.

L90D Shared EML: https://platform.sublime.security/messages/hunt?huntId=019c22bd-513f-7110-b4bf-e888fef02c49

@peterdj45 peterdj45 added the review-needed Indicates that a PR is waiting for review label Feb 3, 2026
markmsublime
markmsublime requested changes Feb 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@markmsublime markmsublime left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing review-needed label until feedback is addressed, please add back when you are ready!

Comment thread detection-rules/credential_phishing_generic_document_sharing.yml Outdated
Comment thread detection-rules/credential_phishing_generic_document_sharing.yml Outdated
@markmsublime markmsublime removed the review-needed Indicates that a PR is waiting for review label Feb 3, 2026
@peterdj45 @markmsublime
Update detection-rules/credential_phishing_generic_document_sharing.yml
23144b5 
Co-authored-by: Mark Morris <mark.m@sublimesecurity.com>
@peterdj45 peterdj45 requested a review from a team February 4, 2026 04:27
@peterdj45 @markmsublime
Apply suggestions from code review
027a6a6 
Co-authored-by: Mark Morris <mark.m@sublimesecurity.com>
@peterdj45 peterdj45 added the review-needed Indicates that a PR is waiting for review label Feb 4, 2026
github-actions Bot added a commit that referenced this pull request Feb 4, 2026
@github-actions
[PR #3871] modified rule: PR# 3871 - Credential phishing: Generic doc…
a971fa0 
…ument sharing
@peterdj45 peterdj45 added this pull request to the merge queue Feb 5, 2026
Merged via the queue into main with commit 7fb505b Feb 5, 2026
3 checks passed
@peterdj45 peterdj45 deleted the peter.fn.cred_phishing_generic_document_sharing branch February 5, 2026 22:43
github-actions Bot added a commit that referenced this pull request Feb 5, 2026
@github-actions
[PR #3871] Delete detection rule
72c9240
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@markmsublime markmsublime markmsublime approved these changes

Assignees

No one assigned

Labels

hunting-required Hunts needed to validate rule efficacy review-needed Indicates that a PR is waiting for review test-rules:excluded:link_analysis Link analysis in rule, excluding from test rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@peterdj45 @markmsublime