Add patterns for AuthentiSign and e-Verify Doc (#3431)

peterdj45 · web-flow · commit 1fc2bb862dde · 2025-11-05T21:29:31.000Z
diff --git a/detection-rules/credential_phishing_esign_document_notification.yml b/detection-rules/credential_phishing_esign_document_notification.yml
@@ -12,6 +12,7 @@ source: |
                           "Agreement.{0,5}Review",
                           "Attend.and.Review",
                           "action.re?quired",
+                          "AuthentiSign",
                           "Completed.File",
                           "D[0o]chsared",
                           "D[0o]cshared",
@@ -31,6 +32,7 @@ source: |
                           "esign.[0o]nline",
                           "e-d[0o]c",
                           "e-signature",
+                          "e-Verify Doc",
                           "eSignature",
                           "eSign&Return",
                           "eSign[0o]nline",
@@ -133,6 +135,11 @@ source: |
   
     // HR impersonation
     or strings.ilike(sender.display_name, "HR", "H?R", "*Human Resources*")
+  
+    // Sender display name is a phone number
+  or regex.imatch(sender.display_name,
+                  '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}'
+    )
   )
   and (
     any(body.links,
@@ -154,7 +161,9 @@ source: |
                         'clarify.{0,20}(deposit|wallet|funds)',
                         'enter.{0,15}teams',
                         'Review and sign',
-                        'REVIEW.*DOCUMENT'
+                        'REVIEW.*DOCUMENT',
+                        'Open Document',
+                        'Sign Now'
         )
         // check that the display_text is all lowercase
         or (
