Skip to content

Create self_sender_display_name_email_in_subject.yml#4285

Merged
D-Bolton merged 9 commits intomainfrom
daniel.fn.ESC-9460.has-sent-you-a-protected-message
Apr 16, 2026
Merged

Create self_sender_display_name_email_in_subject.yml#4285
D-Bolton merged 9 commits intomainfrom
daniel.fn.ESC-9460.has-sent-you-a-protected-message

Conversation

@D-Bolton
Copy link
Copy Markdown
Member

@D-Bolton D-Bolton commented Mar 31, 2026
edited
Loading

Description

Detects messages where the sender emails themselves with both their email address and display name present in the subject line, while the email address differs from the display name.

Associated samples

Associated hunts

  • Hunt 1
  • Multi-hunts in ESC-9460

@D-Bolton D-Bolton marked this pull request as ready for review March 31, 2026 19:13
@D-Bolton D-Bolton requested a review from a team March 31, 2026 19:13
@D-Bolton D-Bolton requested a review from a team as a code owner March 31, 2026 19:13
@github-actions github-actions bot added the in-test-rules PR is in our testing suite to collect telemetry label Mar 31, 2026
github-actions bot added a commit that referenced this pull request Mar 31, 2026
@github-actions
[Test Rules] [PR #4285] added rule: Self-sender with email and displa…
d488153 
…y name in subject
github-actions bot added a commit that referenced this pull request Mar 31, 2026
@github-actions
[Shared Samples] [PR #4285] added rule: PR# 4285 - Self-sender with e…
4095461 
…mail and display name in subject
@D-Bolton D-Bolton added the review-needed Indicates that a PR is waiting for review label Apr 2, 2026
@D-Bolton D-Bolton removed the review-needed Indicates that a PR is waiting for review label Apr 2, 2026
@D-Bolton
Copy link
Copy Markdown
Member Author

D-Bolton commented Apr 2, 2026

This rule is ready. @peterdj45 will review mode results on Monday.

@D-Bolton D-Bolton requested a review from peterdj45 April 2, 2026 20:15
github-actions bot added a commit that referenced this pull request Apr 2, 2026
@github-actions
[Shared Samples] [PR #4285] modified rule: PR# 4285 - Self-sender wit…
38ef06f 
…h email and display name in subject
github-actions bot added a commit that referenced this pull request Apr 2, 2026
@github-actions
[Test Rules] [PR #4285] modified rule: Self-sender with email and dis…
fa261e6 
…play name in subject
github-actions bot added a commit to IndiaAce/sublime-rules that referenced this pull request Apr 8, 2026
@github-actions
[Test Rules] [PR sublime-security#4285] added rule: Self-sender with …
1c37aed 
…email and display name in subject
peterdj45
peterdj45 requested changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@peterdj45 peterdj45 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found some FPs in test rules, primarily messages sent via Hearsay Social (social media marketing platform). Example: https://platform.sublime.security/messages/50471e1a18de024481af14a3b2e7f8c8fe9fff30c14456f355e24c6d3234ae4c

Could maybe negate these via presence of X-HearsaySocial headers? or the message ID, which is hearsaysystems.com. Happy to jam on this if you'd like!

Comment thread detection-rules/self_sender_display_name_email_in_subject.yml Outdated
@D-Bolton @peterdj45
Update detection-rules/self_sender_display_name_email_in_subject.yml
a08ea3e 
Co-authored-by: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
github-actions bot added a commit that referenced this pull request Apr 9, 2026
@github-actions
[Test Rules] [PR #4285] modified rule: Self-sender with email and dis…
121d290 
…play name in subject
github-actions bot added a commit to IndiaAce/sublime-rules that referenced this pull request Apr 9, 2026
@github-actions
[Test Rules] [PR sublime-security#4285] modified rule: Self-sender wi…
e64aa37 
…th email and display name in subject
github-actions bot added a commit that referenced this pull request Apr 9, 2026
@github-actions
[Shared Samples] [PR #4285] modified rule: PR# 4285 - Self-sender wit…
a407c88 
…h email and display name in subject
github-actions bot added a commit that referenced this pull request Apr 10, 2026
@github-actions
[Shared Samples] [PR #4285] Delete detection rule
d942383
github-actions bot added a commit that referenced this pull request Apr 10, 2026
@github-actions
[Shared Samples] [PR #4285] added rule: PR# 4285 - Self-sender with F…
941eab5 
…rench copy/paste instructions and suspicious domains
github-actions bot added a commit that referenced this pull request Apr 10, 2026
@github-actions
[Test Rules] [PR #4285] Delete detection rule
34a96d4
github-actions bot added a commit that referenced this pull request Apr 10, 2026
@github-actions
[Test Rules] [PR #4285] added rule: Self-sender with French copy/past…
991c956 
…e instructions and suspicious domains
github-actions bot added a commit to IndiaAce/sublime-rules that referenced this pull request Apr 10, 2026
@github-actions
[Test Rules] [PR sublime-security#4285] Delete detection rule
5c90a0e
github-actions bot added a commit to IndiaAce/sublime-rules that referenced this pull request Apr 10, 2026
@github-actions
[Test Rules] [PR sublime-security#4285] added rule: Self-sender with …
3540ead 
…French copy/paste instructions and suspicious domains
@D-Bolton D-Bolton requested a review from peterdj45 April 10, 2026 20:05
@D-Bolton
Copy link
Copy Markdown
Member Author

D-Bolton commented Apr 10, 2026

Found some FPs in test rules, primarily messages sent via Hearsay Social (social media marketing platform). Example: https://platform.sublime.security/messages/50471e1a18de024481af14a3b2e7f8c8fe9fff30c14456f355e24c6d3234ae4c

Could maybe negate these via presence of X-HearsaySocial headers? or the message ID, which is hearsaysystems.com. Happy to jam on this if you'd like!

I tightened the rule up more. I have multi-hunts in the ESC. Let me know what you think. Thanks!

@D-Bolton D-Bolton added the review-needed Indicates that a PR is waiting for review label Apr 10, 2026
peterdj45
peterdj45 approved these changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@peterdj45 peterdj45 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! left you some non-blocking feedback

Comment thread detection-rules/self_sender_french_copypaste_instructions_suspicious_domains.yml Outdated
Comment thread detection-rules/self_sender_french_copypaste_instructions_suspicious_domains.yml Outdated
Comment thread detection-rules/self_sender_french_copypaste_instructions_suspicious_domains.yml Outdated
@peterdj45 peterdj45 removed the review-needed Indicates that a PR is waiting for review label Apr 15, 2026
D-Bolton and others added 3 commits April 15, 2026 08:09
@D-Bolton @peterdj45
Update detection-rules/self_sender_french_copypaste_instructions_susp…
1d3687a 
…icious_domains.yml

Co-authored-by: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
@D-Bolton @peterdj45
Update detection-rules/self_sender_french_copypaste_instructions_susp…
a74bdb4 
…icious_domains.yml

Co-authored-by: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
@D-Bolton @peterdj45
Update detection-rules/self_sender_french_copypaste_instructions_susp…
f6c8d52 
…icious_domains.yml

Co-authored-by: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
github-actions bot added a commit that referenced this pull request Apr 15, 2026
@github-actions
[Test Rules] [PR #4285] modified rule: Self-sender with copy/paste in…
75477a0 
…structions and suspicious domains (French/Français)
github-actions bot added a commit that referenced this pull request Apr 15, 2026
@github-actions
[Shared Samples] [PR #4285] modified rule: PR# 4285 - Self-sender wit…
66dc655 
…h copy/paste instructions and suspicious domains (French/Français)
@D-Bolton D-Bolton added the review-needed Indicates that a PR is waiting for review label Apr 15, 2026
@D-Bolton D-Bolton requested a review from IndiaAce April 15, 2026 14:22
IndiaAce
IndiaAce approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@IndiaAce IndiaAce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved with non-blocking feedback.

Comment thread detection-rules/self_sender_french_copypaste_instructions_suspicious_domains.yml
github-actions bot added a commit that referenced this pull request Apr 16, 2026
@github-actions
[Shared Samples] [PR #4285] modified rule: PR# 4285 - Self-sender wit…
b9a7f9b 
…h copy/paste instructions and suspicious domains (French/Français)
github-actions bot added a commit that referenced this pull request Apr 16, 2026
@github-actions
[Test Rules] [PR #4285] modified rule: Self-sender with copy/paste in…
b4f37e6 
…structions and suspicious domains (French/Français)
@D-Bolton D-Bolton added this pull request to the merge queue Apr 16, 2026
Merged via the queue into main with commit 2878155 Apr 16, 2026
3 checks passed
@D-Bolton D-Bolton deleted the daniel.fn.ESC-9460.has-sent-you-a-protected-message branch April 16, 2026 17:39
github-actions bot added a commit that referenced this pull request Apr 16, 2026
@github-actions
[Shared Samples] [PR #4285] Delete detection rule
ca71047
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IndiaAce IndiaAce IndiaAce approved these changes

@peterdj45 peterdj45 peterdj45 approved these changes

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@D-Bolton @IndiaAce @peterdj45