Skip to content

Add first_name/last_name concat matching to org_vips body/subject rules#4515

Open
IndiaAce wants to merge 6 commits into
sublime-security:mainfrom
IndiaAce:india.fn.na.org_vips_name_ordering_body_subject
Open

Add first_name/last_name concat matching to org_vips body/subject rules#4515
IndiaAce wants to merge 6 commits into
sublime-security:mainfrom
IndiaAce:india.fn.na.org_vips_name_ordering_body_subject

Conversation

@IndiaAce

@IndiaAce IndiaAce commented May 20, 2026

Copy link
Copy Markdown
Member

Description

Add alternative name matching logic to org_vips body/subject/HTML-based rules to handle cases where
display_name is stored as "Lastname, Firstname" instead of "Firstname Lastname".
Uses strings.concat(.first_name, " ", .last_name) and strings.concat(.last_name, ", ", .first_name)
as additional or conditions inside existing any($org_vips, ...) blocks.

This is a test rule deployment to assess impact magnitude.

Affected rules

  • vip_impersonation_charity.yml
  • fake_thread_suspicious_indicators.yml
  • vip_impersonation_subject.yml
  • vip_impersonation_fake_thread.yml
  • impersonation_google_groups_suspicious.yml
  • service_abuse_trello_board_invite_vip.yml

Associated samples

N/A - validation only (no TP canonical available)

Associated hunts

TBD - will be run after test rule deployment

@IndiaAce @claude
Add first_name/last_name concat matching to org_vips body/subject rules
010ce33 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@IndiaAce IndiaAce requested a review from a team May 20, 2026 16:52
@IndiaAce IndiaAce requested a review from a team as a code owner May 20, 2026 16:52
@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label May 20, 2026
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4515] added rule: Fake thread with suspicious indic…
58dfa34 
…ators
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4515] added rule: VIP Impersonation via Google Grou…
615e5a4 
…p relay with suspicious indicators
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4515] added rule: Service abuse: Trello board invit…
a3f7079 
…ation with VIP impersonation
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4515] added rule: VIP impersonation with charitable…
e7e9cfc 
… donation fraud
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4515] added rule: VIP impersonation: Fake thread wi…
c55cb79 
…th display name match, email mismatch
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR #4515] added rule: VIP / Executive impersonation in …
3f8c0d4 
…subject (untrusted)
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] added rule: Fake thread with …
11c70c6 
…suspicious indicators
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] added rule: VIP Impersonation…
a01e603 
… via Google Group relay with suspicious indicators
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] added rule: Service abuse: Tr…
733bf7c 
…ello board invitation with VIP impersonation
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] added rule: VIP impersonation…
22b73c2 
… with charitable donation fraud
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] added rule: VIP impersonation…
691275f 
…: Fake thread with display name match, email mismatch
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 20, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] added rule: VIP / Executive i…
7e1a7c9 
…mpersonation in subject (untrusted)
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4515] added rule: PR# 4515 - Fake thread with s…
c3ebfc5 
…uspicious indicators
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4515] added rule: PR# 4515 - VIP Impersonation …
cb6ac41 
…via Google Group relay with suspicious indicators
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4515] added rule: PR# 4515 - Service abuse: Tre…
09a672e 
…llo board invitation with VIP impersonation
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4515] added rule: PR# 4515 - VIP impersonation …
3f264a4 
…with charitable donation fraud
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4515] added rule: PR# 4515 - VIP impersonation:…
fbcd55d 
… Fake thread with display name match, email mismatch
github-actions Bot added a commit that referenced this pull request May 20, 2026
@github-actions
[Shared Samples] [PR #4515] added rule: PR# 4515 - VIP / Executive im…
86b01f1 
…personation in subject (untrusted)
IndiaAce and others added 2 commits May 29, 2026 15:09
@IndiaAce @claude
Scope reduction: keep only lastname-firstname concat, add parenthetic…
13ab6e6 
…al stripping

- Remove redundant strings.concat(.first_name, " ", .last_name) checks (already covered by .display_name)
- Keep strings.concat(.last_name, ", ", .first_name) for orgs storing VIPs as "Doe, John"
- Add regex-based parenthetical stripping for VIP names like "Shelly Chaka (She/her/hers)"
- Handles both ASCII () and full-width () parentheses

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Auto-format MQL and add rule IDs
3c7644f
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: Fake thread with suspicious in…
dfb43a4 
…dicators
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: VIP Impersonation via Google G…
7e7d430 
…roup relay with suspicious indicators
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: Service abuse: Trello board in…
f0f6949 
…vitation with VIP impersonation
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: VIP impersonation with charita…
8623547 
…ble donation fraud
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: VIP impersonation: Fake thread…
8630965 
… with display name match, email mismatch
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] modified rule: VIP Impersonat…
c5504f7 
…ion via Google Group relay with suspicious indicators
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] modified rule: Service abuse:…
137d3e7 
… Trello board invitation with VIP impersonation
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] modified rule: VIP impersonat…
4adb7ec 
…ion with charitable donation fraud
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] modified rule: VIP impersonat…
259500a 
…ion: Fake thread with display name match, email mismatch
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR sublime-security#4515] modified rule: VIP / Executiv…
e13cfa9 
…e impersonation in subject (untrusted)
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Shared Samples] [PR #4515] modified rule: PR# 4515 - Fake thread wit…
fd22b99 
…h suspicious indicators
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Shared Samples] [PR #4515] modified rule: PR# 4515 - VIP Impersonati…
3a35e77 
…on via Google Group relay with suspicious indicators
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Shared Samples] [PR #4515] modified rule: PR# 4515 - Service abuse: …
df1416a 
…Trello board invitation with VIP impersonation
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Shared Samples] [PR #4515] modified rule: PR# 4515 - VIP impersonati…
3c07233 
…on with charitable donation fraud
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Shared Samples] [PR #4515] modified rule: PR# 4515 - VIP impersonati…
a680ec0 
…on: Fake thread with display name match, email mismatch
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Shared Samples] [PR #4515] modified rule: PR# 4515 - VIP / Executive…
e75c29e 
… impersonation in subject (untrusted)
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: Fake thread with suspicious in…
3d9461b 
…dicators
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: VIP Impersonation via Google G…
0f6e550 
…roup relay with suspicious indicators
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: Service abuse: Trello board in…
0b49a93 
…vitation with VIP impersonation
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: VIP impersonation with charita…
02e96fc 
…ble donation fraud
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: VIP impersonation: Fake thread…
bdea410 
… with display name match, email mismatch
github-actions Bot added a commit that referenced this pull request May 29, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: VIP / Executive impersonation …
36a5f82 
…in subject (untrusted)
@IndiaAce @claude
Guard org_vips name concat against empty first_name/last_name fields
2ec7528 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
github-actions Bot added a commit that referenced this pull request Jun 8, 2026
@github-actions
[Shared Samples] [PR #4515] modified rule: PR# 4515 - Fake thread wit…
bce0247 
…h suspicious indicators
github-actions Bot added a commit that referenced this pull request Jun 8, 2026
@github-actions
[Shared Samples] [PR #4515] modified rule: PR# 4515 - VIP Impersonati…
dee9bdb 
…on via Google Group relay with suspicious indicators
github-actions Bot added a commit that referenced this pull request Jun 8, 2026
@github-actions
[Shared Samples] [PR #4515] modified rule: PR# 4515 - Service abuse: …
43b3eb2 
…Trello board invitation with VIP impersonation
github-actions Bot added a commit that referenced this pull request Jun 8, 2026
@github-actions
[Shared Samples] [PR #4515] modified rule: PR# 4515 - VIP impersonati…
f4de777 
…on with charitable donation fraud
github-actions Bot added a commit that referenced this pull request Jun 8, 2026
@github-actions
[Shared Samples] [PR #4515] modified rule: PR# 4515 - VIP impersonati…
54e03ef 
…on: Fake thread with display name match, email mismatch
github-actions Bot added a commit that referenced this pull request Jun 8, 2026
@github-actions
[Shared Samples] [PR #4515] modified rule: PR# 4515 - VIP / Executive…
0e81f33 
… impersonation in subject (untrusted)
github-actions Bot added a commit that referenced this pull request Jun 8, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: Fake thread with suspicious in…
b41fb6d 
…dicators
github-actions Bot added a commit that referenced this pull request Jun 8, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: VIP Impersonation via Google G…
64f0ccb 
…roup relay with suspicious indicators
github-actions Bot added a commit that referenced this pull request Jun 8, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: Service abuse: Trello board in…
dea32a5 
…vitation with VIP impersonation
github-actions Bot added a commit that referenced this pull request Jun 8, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: VIP impersonation with charita…
78ef567 
…ble donation fraud
github-actions Bot added a commit that referenced this pull request Jun 8, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: VIP impersonation: Fake thread…
d09272e 
… with display name match, email mismatch
github-actions Bot added a commit that referenced this pull request Jun 8, 2026
@github-actions
[Test Rules] [PR #4515] modified rule: VIP / Executive impersonation …
05e1967 
…in subject (untrusted)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@IndiaAce