Create body_self_sender_bold.yml#4462
Open
keaton-sublime wants to merge 8 commits into
Open
Conversation
keaton-sublime
added
the
in-test-rules
github-actions Bot
added a commit
that referenced
this pull request
May 7, 2026
…s recipient with bolded name and suspicious link
github-actions Bot
added a commit
to IndiaAce/sublime-rules
that referenced
this pull request
May 7, 2026
…n: Sender matches recipient with bolded name and suspicious link
github-actions Bot
added a commit
that referenced
this pull request
May 7, 2026
…: Sender matches recipient with bolded name and suspicious link
Member
Author
|
No hits over the last several days in test rules data. Marking as ready for review/review-needed. |
zoomequipd
reviewed
May 14, 2026
zoomequipd
approved these changes
May 14, 2026
github-actions Bot
added a commit
that referenced
this pull request
May 15, 2026
…ches recipient with bolded name and suspicious link
github-actions Bot
added a commit
to IndiaAce/sublime-rules
that referenced
this pull request
May 15, 2026
…tion: Sender matches recipient with bolded name and suspicious link
github-actions Bot
added a commit
that referenced
this pull request
May 15, 2026
…ion: Sender matches recipient with bolded name and suspicious link
Member
Author
|
Last 14d test rules data looks pretty good, and all FPs are correctly identified by ASA |
Member
|
Continuing to work with @keaton-sublime on this rule |
keaton-sublime
removed
the
review-needed
Reverting logic a bit - narrowing it down to remove FPs. Hunt: https://platform.sublime.security/messages/hunt?huntId=019e73c5-efe2-7c30-9217-9c75f1e11e64 multi-hunt: https://hunt.limeseed.email/hunts/c91f5cf8-02a0-4737-8308-18a260f3af92
Member
Author
|
Changed some of the rule logic to be a bit narrower: I'm also going to do another PR for a wider rule that is looking for more of the generic stuff we miss by filtering this one down. related hunt: #4565 |
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
…ion: Sender matches recipient with bolded name and suspicious link
github-actions Bot
added a commit
that referenced
this pull request
May 29, 2026
…ches recipient with bolded name and suspicious link
github-actions Bot
added a commit
to IndiaAce/sublime-rules
that referenced
this pull request
May 29, 2026
…tion: Sender matches recipient with bolded name and suspicious link
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Detects messages where the sender's email address matches the recipient's email address, with the sender's display name appearing in bold text and a suspicious 'Read the Message' link present in the body.
Observed in a few campaigns with this type of behavior.
Associated samples
Associated hunts