Skip to content

Create link_hotel_url_redirect.yml#3902

Merged
JFarina5 merged 10 commits intomainfrom
JFarina5.FN.ESC-6856.hotel.url.redirect
Feb 17, 2026
Merged

Create link_hotel_url_redirect.yml#3902
JFarina5 merged 10 commits intomainfrom
JFarina5.FN.ESC-6856.hotel.url.redirect

Conversation

@JFarina5
Copy link
Copy Markdown
Member

@JFarina5 JFarina5 commented Jan 29, 2026

Description

This rule detects urls inside of messages where the display_url redirects to malicious sites with a hotel review based theme.

Associated samples

Associated hunts

@JFarina5 JFarina5 requested a review from a team as a code owner January 29, 2026 22:17
@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label Jan 29, 2026
@JFarina5
Copy link
Copy Markdown
Member Author

JFarina5 commented Feb 2, 2026

Low telemetry, but results look good. Marking r4r

@JFarina5 JFarina5 added the review-needed Indicates that a PR is waiting for review label Feb 2, 2026
Copy link
Copy Markdown
Member

@IndiaAce IndiaAce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The telemetry on this is awesome, and I love the idea here. I think we do need some sort of early gating. I have a few ideas you might consider trying out. The FPs I found in test rules were unable to share with the customer, but one of them 50048ac55cca8c8c558b1af119a8a5255414952225388a55a01edaf1d572a5c8 stuck out to me. It looks like they're coordinating an airbnb rental. It's a reply, so you could negate replies!

@IndiaAce
Copy link
Copy Markdown
Member

IndiaAce commented Feb 3, 2026

Just to keep the review-needed queue organized I'm going to take off the review-needed label, lmk if you want to chat about that! (also hmu for what customer that canonical is if you wanted to look at it, it's not in sws)

@IndiaAce IndiaAce removed the review-needed Indicates that a PR is waiting for review label Feb 3, 2026
@JFarina5 JFarina5 requested a review from a team February 3, 2026 16:53
@JFarina5
Copy link
Copy Markdown
Member Author

JFarina5 commented Feb 3, 2026

Looks like the FP was because of a legit redirect, added some negations that help combat these types of scenarios

Removed regex restraint from URL redirect rule.
@JFarina5
Copy link
Copy Markdown
Member Author

JFarina5 commented Feb 4, 2026

Spoke with @IndiaAce, took off the regex restraint to open to rule up a bit. Results look promising

@JFarina5
Copy link
Copy Markdown
Member Author

JFarina5 commented Feb 4, 2026

Added additional sender logic, negates some FPs found in test rules, but also flags additional FNs. Hunt results looked solid.

@JFarina5
Copy link
Copy Markdown
Member Author

Mode results looked good, latest commit was to negate some graymail hits, but otherwise results looked all malicious. L365D 'and not' hunt only returned the graymail hits. L90D hunt returned all malicious, likely_benign hits all seemed malicious, no graymail. Marking r4r.

@JFarina5 JFarina5 added the review-needed Indicates that a PR is waiting for review label Feb 17, 2026
@JFarina5 JFarina5 requested a review from IndiaAce February 17, 2026 14:52
github-actions Bot added a commit that referenced this pull request Feb 17, 2026
github-actions Bot added a commit that referenced this pull request Feb 17, 2026
Copy link
Copy Markdown
Member

@IndiaAce IndiaAce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Latest results look great! Nice work on this, approved!

@JFarina5 JFarina5 added this pull request to the merge queue Feb 17, 2026
Merged via the queue into main with commit a149df1 Feb 17, 2026
2 checks passed
@JFarina5 JFarina5 deleted the JFarina5.FN.ESC-6856.hotel.url.redirect branch February 17, 2026 19:07
github-actions Bot added a commit that referenced this pull request Feb 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants