Skip to content

Add first_name/last_name concat matching to org_vips body/subject rules#4515

Open
IndiaAce wants to merge 2 commits into
sublime-security:mainfrom
IndiaAce:india.fn.na.org_vips_name_ordering_body_subject
Open

Add first_name/last_name concat matching to org_vips body/subject rules#4515
IndiaAce wants to merge 2 commits into
sublime-security:mainfrom
IndiaAce:india.fn.na.org_vips_name_ordering_body_subject

Conversation

@IndiaAce
Copy link
Copy Markdown
Member

@IndiaAce IndiaAce commented May 20, 2026

Description

Add alternative name matching logic to org_vips body/subject/HTML-based rules to handle cases where
display_name is stored as "Lastname, Firstname" instead of "Firstname Lastname".
Uses strings.concat(.first_name, " ", .last_name) and strings.concat(.last_name, ", ", .first_name)
as additional or conditions inside existing any($org_vips, ...) blocks.

This is a test rule deployment to assess impact magnitude.

Affected rules

  • vip_impersonation_charity.yml
  • fake_thread_suspicious_indicators.yml
  • vip_impersonation_subject.yml
  • vip_impersonation_fake_thread.yml
  • impersonation_google_groups_suspicious.yml
  • service_abuse_trello_board_invite_vip.yml

Associated samples

N/A - validation only (no TP canonical available)

Associated hunts

TBD - will be run after test rule deployment

@IndiaAce @claude
Add first_name/last_name concat matching to org_vips body/subject rules
010ce33 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@IndiaAce IndiaAce requested a review from a team May 20, 2026 16:52
@IndiaAce IndiaAce requested a review from a team as a code owner May 20, 2026 16:52
@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label May 20, 2026
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4515] added rule: Fake thread with suspicious indic…
58dfa34 
…ators
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4515] added rule: VIP Impersonation via Google Grou…
615e5a4 
…p relay with suspicious indicators
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4515] added rule: Service abuse: Trello board invit…
a3f7079 
…ation with VIP impersonation
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4515] added rule: VIP impersonation with charitable…
e7e9cfc 
… donation fraud
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4515] added rule: VIP impersonation: Fake thread wi…
c55cb79 
…th display name match, email mismatch
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4515] added rule: VIP / Executive impersonation in …
3f8c0d4 
…subject (untrusted)
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] added rule: Fake thread with …
11c70c6 
…suspicious indicators
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] added rule: VIP Impersonation…
a01e603 
… via Google Group relay with suspicious indicators
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] added rule: Service abuse: Tr…
733bf7c 
…ello board invitation with VIP impersonation
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] added rule: VIP impersonation…
22b73c2 
… with charitable donation fraud
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] added rule: VIP impersonation…
691275f 
…: Fake thread with display name match, email mismatch
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] added rule: VIP / Executive i…
7e1a7c9 
…mpersonation in subject (untrusted)
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4515] added rule: PR# 4515 - Fake thread with s…
c3ebfc5 
…uspicious indicators
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4515] added rule: PR# 4515 - VIP Impersonation …
cb6ac41 
…via Google Group relay with suspicious indicators
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4515] added rule: PR# 4515 - Service abuse: Tre…
09a672e 
…llo board invitation with VIP impersonation
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4515] added rule: PR# 4515 - VIP impersonation …
3f264a4 
…with charitable donation fraud
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4515] added rule: PR# 4515 - VIP impersonation:…
fbcd55d 
… Fake thread with display name match, email mismatch
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4515] added rule: PR# 4515 - VIP / Executive im…
86b01f1 
…personation in subject (untrusted)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@IndiaAce