Skip to content

Create monday_infra_abuse.yml #2729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Create monday_infra_abuse.yml #2729

wants to merge 13 commits into from

Conversation

@peterdj45
Copy link
Member

@peterdj45 peterdj45 commented May 21, 2025

@peterdj45 peterdj45 marked this pull request as ready for review May 21, 2025 19:00
@peterdj45 peterdj45 requested a review from a team as a code owner May 21, 2025 19:00
@peterdj45 peterdj45 added the in-test-rules PR is in our testing suite to collect telemetry label May 21, 2025
@peterdj45
Copy link
Member Author

peterdj45 commented May 21, 2025

/update-test-rules

github-actions bot pushed a commit that referenced this pull request May 21, 2025
Sync from PR#2729
b8825f3 
Create monday_infra_abuse.yml by @peterdj45
#2729
Source SHA af107e7
Triggered by @peterdj45
@MSAdministrator
Copy link
Member

MSAdministrator commented Jun 5, 2025

I may be missing something but the samples provided above didn't match the rule itself or maybe I'm not doing something right lol. At least the first two samples also didn't have any attachments but did have the trackingservice.monday.com link

github-actions bot added a commit that referenced this pull request Jul 24, 2025
@github-actions
[PR #2729] modified rule: Monday.com Link Infrastructure Abuse
24d7cb0
@peterdj45
Copy link
Member Author

peterdj45 commented Sep 5, 2025
edited
Loading

I may be missing something but the samples provided above didn't match the rule itself or maybe I'm not doing something right lol. At least the first two samples also didn't have any attachments but did have the trackingservice.monday.com link

Ah, those were sent via salesforce and are hitting our high trust sender domain negation. I added an or statement to flag messages sent via SFDC

github-actions bot added a commit that referenced this pull request Sep 5, 2025
@github-actions
[PR #2729] modified rule: Monday.com Link Infrastructure Abuse
913d555
github-actions bot added a commit that referenced this pull request Sep 5, 2025
@github-actions
[PR #2729] modified rule: Monday.com link infrastructure abuse
f0efffd
@peterdj45 peterdj45 added the review-needed Indicates that a PR is waiting for review label Sep 5, 2025
@morriscode
Copy link
Member

morriscode commented Sep 9, 2025

The OR on line 97 is unencapsulated

@peterdj45 peterdj45 removed the review-needed Indicates that a PR is waiting for review label Sep 10, 2025
@peterdj45
Copy link
Member Author

peterdj45 commented Sep 12, 2025

I incorporated a topic check to filter out B2B cold outreach, and fixed the unencapsulated OR. I'll let this bake in test-rules over the weekend

github-actions bot added a commit that referenced this pull request Sep 12, 2025
@github-actions
[PR #2729] modified rule: Monday.com link infrastructure abuse
d14c47d
IndiaAce
IndiaAce requested changes Sep 23, 2025
View reviewed changes
Copy link
Member

@IndiaAce IndiaAce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logic looks good, but we might need to expand the negation for graymail and newsletters. I still see a bunch of what looks like benign matches in Mode

@zoomequipd
Update monday_infra_abuse.yml
52f895e 
use monday_tracker url decoder
unnest the or statements that use different attachment length logic to be their own
github-actions bot added a commit that referenced this pull request Oct 18, 2025
@github-actions
[PR #2729] modified rule: Monday.com link infrastructure abuse
4171ff3
github-actions bot added a commit that referenced this pull request Oct 18, 2025
@github-actions
[PR #2729] modified rule: Monday.com link infrastructure abuse
16859d3
@peterdj45 @IndiaAce
Update detection-rules/monday_infra_abuse.yml
c7f250e 
Co-authored-by: Luke Wescott <69780712+IndiaAce@users.noreply.github.com>
github-actions bot added a commit that referenced this pull request Nov 4, 2025
@github-actions
[PR #2729] modified rule: Service abuse: Monday.com infrastructure wi…
a2a67d6 
…th phishing intent
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IndiaAce IndiaAce IndiaAce requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@peterdj45 @MSAdministrator @morriscode @IndiaAce @zoomequipd