Skip to content

Add first_name/last_name concat matching to org_vips sender rules#4513

Open
IndiaAce wants to merge 2 commits into
sublime-security:mainfrom
IndiaAce:india.fn.na.org_vips_name_ordering_sender
Open

Add first_name/last_name concat matching to org_vips sender rules#4513
IndiaAce wants to merge 2 commits into
sublime-security:mainfrom
IndiaAce:india.fn.na.org_vips_name_ordering_sender

Conversation

@IndiaAce
Copy link
Copy Markdown
Member

@IndiaAce IndiaAce commented May 20, 2026

Description

Add alternative name matching logic to org_vips sender-based rules to handle cases where
display_name is stored as "Lastname, Firstname" instead of "Firstname Lastname".
Uses strings.concat(.first_name, " ", .last_name) and strings.concat(.last_name, ", ", .first_name)
as additional or conditions inside existing any($org_vips, ...) blocks.

This is a test rule deployment to assess impact magnitude.

Affected rules

  • impersonation_vip_bec_loose.yml
  • vip_impersonation.yml
  • impersonation_vip_urgent_request.yml
  • impersonation_vip_invoicing_request.yml
  • impersonation_vip_w2_request.yml
  • sender_contains_org_vip.yml (insight)

Associated samples

N/A - validation only (no TP canonical available)

Associated hunts

TBD - will be run after test rule deployment

@IndiaAce @claude
Add first_name/last_name concat matching to org_vips sender rules
07ab11d 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@IndiaAce IndiaAce requested a review from a team May 20, 2026 16:49
@IndiaAce IndiaAce requested a review from a team as a code owner May 20, 2026 16:49
@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label May 20, 2026
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4513] added rule: VIP impersonation with BEC langua…
8b3f150 
…ge (near match, untrusted sender)
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4513] added rule: VIP impersonation with invoicing …
00968ee 
…request
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4513] added rule: VIP impersonation with urgent req…
3c8af1f 
…uest (strict match, untrusted sender)
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4513] added rule: VIP impersonation with w2 request…
d49e795 
… with reply-to mismatch
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4513] added rule: VIP / Executive impersonation (st…
b9e0e6b 
…rict match, untrusted)
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4513] added rule: VIP impersonation…
cfe83b9 
… with BEC language (near match, untrusted sender)
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4513] added rule: VIP impersonation…
a1f08b9 
… with invoicing request
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4513] added rule: VIP impersonation…
3d7799e 
… with urgent request (strict match, untrusted sender)
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4513] added rule: VIP impersonation…
aff402d 
… with w2 request with reply-to mismatch
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4513] added rule: VIP / Executive i…
446f992 
…mpersonation (strict match, untrusted)
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4513] added rule: PR# 4513 - VIP impersonation …
7be338f 
…with BEC language (near match, untrusted sender)
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4513] added rule: PR# 4513 - VIP impersonation …
087ec11 
…with invoicing request
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4513] added rule: PR# 4513 - VIP impersonation …
8253161 
…with urgent request (strict match, untrusted sender)
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4513] added rule: PR# 4513 - VIP impersonation …
f83a47a 
…with w2 request with reply-to mismatch
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4513] added rule: PR# 4513 - VIP / Executive im…
b11b351 
…personation (strict match, untrusted)
rw-access
rw-access reviewed May 20, 2026
View reviewed changes
Comment thread insights/sender/sender_contains_org_vip.yml
Comment on lines 11 to 13
and not sender.email.domain.root_domain in $high_trust_sender_root_domains
and not sender.email.domain.root_domain in $org_domains
and headers.auth_summary.dmarc.pass
Copy link
Copy Markdown
Contributor

@rw-access rw-access May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are these inside the any($org_vips) check?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rw-access rw-access rw-access left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@IndiaAce @rw-access