Update credential_phishing_esign_document_notification.yml

peterdj45 · web-flow · commit bc1b20aaaacf · 2025-11-03T17:27:45.000-08:00
diff --git a/detection-rules/credential_phishing_esign_document_notification.yml b/detection-rules/credential_phishing_esign_document_notification.yml
@@ -135,6 +135,11 @@ source: |
   
     // HR impersonation
     or strings.ilike(sender.display_name, "HR", "H?R", "*Human Resources*")
+  
+    // Sender display name is a phone number
+  or regex.imatch(sender.display_name,
+                  '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}'
+    )
   )
   and (
     any(body.links,
@@ -157,7 +162,8 @@ source: |
                         'enter.{0,15}teams',
                         'Review and sign',
                         'REVIEW.*DOCUMENT',
-                        'Open Document'
+                        'Open Document',
+                        'Sign Now'
         )
         // check that the display_text is all lowercase
         or (
