Skip to content

Update sender_display_name_kindly.yml#4119

Merged
IndiaAce merged 5 commits intomainfrom
daniel.fn.ESC-7309.FN--Initial-Contact-BEC-impersonating
Mar 6, 2026
Merged

Update sender_display_name_kindly.yml#4119
IndiaAce merged 5 commits intomainfrom
daniel.fn.ESC-7309.FN--Initial-Contact-BEC-impersonating

Conversation

@D-Bolton
Copy link
Copy Markdown
Member

@D-Bolton D-Bolton commented Mar 4, 2026
edited
Loading

Description

This PR updates Suspicious display name: Gmail sender with engaging language. This rule requires the display_name to contains at least two suspicious words. This PR adds the days of the week and the months to the list.

Associated samples

Associated hunts

@D-Bolton D-Bolton marked this pull request as ready for review March 4, 2026 21:28
@D-Bolton D-Bolton requested a review from a team March 4, 2026 21:28
@D-Bolton D-Bolton requested a review from a team as a code owner March 4, 2026 21:28
@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label Mar 4, 2026
github-actions Bot added a commit that referenced this pull request Mar 4, 2026
@github-actions
[Test Rules] [PR #4119] added rule: Suspicious display name: Gmail se…
7aa368d 
…nder with engaging languages
github-actions Bot added a commit that referenced this pull request Mar 4, 2026
@github-actions
[Shared Samples] [PR #4119] added rule: PR# 4119 - Suspicious display…
ff7ec4d 
… name: Gmail sender with engaging languages
@D-Bolton D-Bolton added the review-needed Indicates that a PR is waiting for review label Mar 5, 2026
IndiaAce
IndiaAce requested changes Mar 5, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@IndiaAce IndiaAce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey! Left a comment here for a suggested added change. I've got 2 more notes for changes.

  1. I went to peak at the escalation to check for some context behind the proposed solution. I know it can seem like a slog to fill those out even for changes like this but any sort of context filling out in those tickets really help out!
  2. Can you rename the name of this file? I seem to recall approving this when it was 2 rules, but the current name of the rule is no longer in-scope with the logic of the rule.

I'm going to remove this from review-needed feel free to re-add when it's ready :)

Comment thread detection-rules/sender_suspicious_display_name_from_gmail_domain.yml
@IndiaAce IndiaAce removed the review-needed Indicates that a PR is waiting for review label Mar 5, 2026
@D-Bolton @IndiaAce
Update detection-rules/sender_display_name_kindly.yml
2e3fa1c 
Co-authored-by: Luke Wescott <69780712+IndiaAce@users.noreply.github.com>
github-actions Bot added a commit that referenced this pull request Mar 5, 2026
@github-actions
[Shared Samples] [PR #4119] modified rule: PR# 4119 - Suspicious disp…
b97cd72 
…lay name: Gmail sender with engaging languages
github-actions Bot added a commit that referenced this pull request Mar 5, 2026
@github-actions
[Shared Samples] [PR #4119] Delete detection rule
1543f50
github-actions Bot added a commit that referenced this pull request Mar 5, 2026
@github-actions
[Test Rules] [PR #4119] Delete detection rule
71a836c
@D-Bolton D-Bolton requested a review from IndiaAce March 5, 2026 21:08
@D-Bolton D-Bolton added the review-needed Indicates that a PR is waiting for review label Mar 5, 2026
@D-Bolton
Copy link
Copy Markdown
Member Author

D-Bolton commented Mar 5, 2026

Hey @IndiaAce,

  1. Sorry I forgot to fill it out. I created the temple but didn't go back to it. The ticket is now filled out!
  2. Renamed the file name to better match the rule logic.
    Thanks!

IndiaAce
IndiaAce approved these changes Mar 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@IndiaAce IndiaAce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Telemetry looks incredible for this, net-new matches are exactly what we want here. Approving!

@IndiaAce IndiaAce added this pull request to the merge queue Mar 6, 2026
Merged via the queue into main with commit 6d9bc76 Mar 6, 2026
3 checks passed
@IndiaAce IndiaAce deleted the daniel.fn.ESC-7309.FN--Initial-Contact-BEC-impersonating branch March 6, 2026 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IndiaAce IndiaAce IndiaAce approved these changes

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@D-Bolton @IndiaAce