From f79d73bca01deeb9cc321793a8c8610afbc72672 Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Thu, 20 Nov 2025 12:23:02 -0800 Subject: [PATCH 1/3] Fix regex pattern in suspicious_request_financial.yml --- detection-rules/suspicious_request_financial.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detection-rules/suspicious_request_financial.yml b/detection-rules/suspicious_request_financial.yml index 3f2f4da4442..29302b97203 100644 --- a/detection-rules/suspicious_request_financial.yml +++ b/detection-rules/suspicious_request_financial.yml @@ -49,7 +49,8 @@ source: | // suspicious sender display name or ( regex.icontains(sender.display_name, - 'Accounts? (?:Payable (?:Dep(\.|t\.?|artment)|e?Receipt)|(Co[[:punct:]]?ordinator|Admin|Manager|Payee))' + 'Accounts? (?:Payable (?:Dep(\.|t\.?|artment)|e?Receipt)|(Co[[:punct:]]?ordinator|Admin|Manager|Payee))', + '(?:pay(ment|([[:punct:]]|\s?)app)|transfer|EFT|ACH|deposit|remit|settle) (noti(ce|fication)|confirm(ation)?)' ) // sender email listed as a recipient or recipients undisclosed/null and ( From c90784669e1e4334f63ea55915aa7353dda3c593 Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Thu, 20 Nov 2025 13:21:55 -0800 Subject: [PATCH 2/3] Update suspicious_request_financial.yml --- detection-rules/suspicious_request_financial.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/detection-rules/suspicious_request_financial.yml b/detection-rules/suspicious_request_financial.yml index 29302b97203..8fb113e5878 100644 --- a/detection-rules/suspicious_request_financial.yml +++ b/detection-rules/suspicious_request_financial.yml @@ -50,7 +50,7 @@ source: | or ( regex.icontains(sender.display_name, 'Accounts? (?:Payable (?:Dep(\.|t\.?|artment)|e?Receipt)|(Co[[:punct:]]?ordinator|Admin|Manager|Payee))', - '(?:pay(ment|([[:punct:]]|\s?)app)|transfer|EFT|ACH|deposit|remit|settle) (noti(ce|fication)|confirm(ation)?)' + '(?:pay(ment|([[:punct:]]|\s?)app)|EFT|ACH|deposit|remit|settle) (noti(ce|fication)|confirm(ation)?)' ) // sender email listed as a recipient or recipients undisclosed/null and ( @@ -60,7 +60,8 @@ source: | ) // non-benign nlu intent or any(ml.nlu_classifier(body.current_thread.text).intents, - .name != "benign" + // callback phishing is outside the scope of this rule + (.name != "benign" and .name != "callback_scam") ) ) ) From 2eefe02df4485706e3453cfb4a82aeddad8cbc7b Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Fri, 21 Nov 2025 00:02:27 -0800 Subject: [PATCH 3/3] Update suspicious_request_financial.yml --- detection-rules/suspicious_request_financial.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/suspicious_request_financial.yml b/detection-rules/suspicious_request_financial.yml index 8fb113e5878..8534c59eb43 100644 --- a/detection-rules/suspicious_request_financial.yml +++ b/detection-rules/suspicious_request_financial.yml @@ -50,7 +50,7 @@ source: | or ( regex.icontains(sender.display_name, 'Accounts? (?:Payable (?:Dep(\.|t\.?|artment)|e?Receipt)|(Co[[:punct:]]?ordinator|Admin|Manager|Payee))', - '(?:pay(ment|([[:punct:]]|\s?)app)|EFT|ACH|deposit|remit|settle) (noti(ce|fication)|confirm(ation)?)' + '(?:pay(ment|([[:punct:]]|\s?)app)|EFT|ACH|deposit|remit(tance)?|settle(ment)?) (?:noti(ce|fication)|confirm(ation)?)' ) // sender email listed as a recipient or recipients undisclosed/null and (