Skip to content

Create detection rule for BEC tax document requests#4586

Open
cybher0808 wants to merge 5 commits into
mainfrom
cybher0808.fn.esc-14468.bectax
Open

Create detection rule for BEC tax document requests#4586
cybher0808 wants to merge 5 commits into
mainfrom
cybher0808.fn.esc-14468.bectax

Conversation

@cybher0808

@cybher0808 cybher0808 commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
Member

Description

Detects messages requesting W-2 tax documents or related tax information. The rule identifies senders using common administrative local parts and filters for messages containing W-2 language combined with request entities detected through natural language processing.

Associated samples

Associated hunts

@cybher0808 cybher0808 requested a review from a team June 2, 2026 01:58
@cybher0808 cybher0808 requested a review from a team as a code owner June 2, 2026 01:58
@cybher0808 cybher0808 self-assigned this Jun 2, 2026
@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label Jun 2, 2026
github-actions Bot added a commit that referenced this pull request Jun 2, 2026
@github-actions
[Test Rules] [PR #4586] added rule: BEC Impersonation: Tax document r…
9079a1c 
…equest
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request Jun 2, 2026
@github-actions
[Test Rules] [PR sublime-security#4586] added rule: BEC Impersonation…
e42d691 
…: Tax document request
github-actions Bot added a commit that referenced this pull request Jun 2, 2026
@github-actions
[Shared Samples] [PR #4586] added rule: PR# 4586 - BEC Impersonation:…
5869c92 
… Tax document request
@cybher0808

cybher0808 commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

Results look really good here after sharing results from multi-hunt. Marking R4R.

@cybher0808 cybher0808 added the review-needed Indicates that a PR is waiting for review label Jun 2, 2026
zoomequipd
zoomequipd requested changes Jun 4, 2026
View reviewed changes
Comment thread detection-rules/tax_w2_impersonation.yml Outdated
zoomequipd
zoomequipd requested changes Jun 4, 2026
View reviewed changes
Comment thread detection-rules/tax_w2_impersonation.yml Outdated
zoomequipd
zoomequipd requested changes Jun 4, 2026
View reviewed changes
Comment thread detection-rules/tax_w2_impersonation.yml Outdated
zoomequipd
zoomequipd requested changes Jun 4, 2026
View reviewed changes
Comment thread detection-rules/tax_w2_impersonation.yml Outdated
@zoomequipd zoomequipd self-assigned this Jun 4, 2026
@cybher0808 cybher0808 removed the review-needed Indicates that a PR is waiting for review label Jun 5, 2026
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request Jun 5, 2026
@github-actions
[Test Rules] [PR sublime-security#4586] modified rule: BEC: Tax docum…
035a62b 
…ent request
github-actions Bot added a commit that referenced this pull request Jun 5, 2026
@github-actions
[Test Rules] [PR #4586] modified rule: BEC: Tax document request
bec6649
github-actions Bot added a commit that referenced this pull request Jun 5, 2026
@github-actions
[Shared Samples] [PR #4586] modified rule: PR# 4586 - BEC: Tax docume…
78eac05 
…nt request
github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request Jun 5, 2026
@github-actions
[Test Rules] [PR sublime-security#4586] modified rule: BEC: Tax docum…
5776fb0 
…ent request
github-actions Bot added a commit that referenced this pull request Jun 5, 2026
@github-actions
[Test Rules] [PR #4586] modified rule: BEC: Tax document request
4e95bdd
github-actions Bot added a commit that referenced this pull request Jun 5, 2026
@github-actions
[Shared Samples] [PR #4586] modified rule: PR# 4586 - BEC: Tax docume…
1a802dd 
…nt request
@cybher0808

cybher0808 commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

Shared latest mode and ran SS hunt - 180 Days. Added a few changes with the keywords in the body and I noticed there were a few emails with sender domain that was created less than 30 days.

Marking for review.

@cybher0808 cybher0808 added the review-needed Indicates that a PR is waiting for review label Jun 8, 2026
@IndiaAce IndiaAce assigned IndiaAce and unassigned zoomequipd Jun 10, 2026
@IndiaAce IndiaAce self-requested a review June 10, 2026 14:46
IndiaAce
IndiaAce requested changes Jun 10, 2026
View reviewed changes
Comment thread detection-rules/tax_w2_impersonation.yml
@IndiaAce IndiaAce removed the review-needed Indicates that a PR is waiting for review label Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoomequipd zoomequipd zoomequipd requested changes

@IndiaAce IndiaAce IndiaAce requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@IndiaAce IndiaAce

@cybher0808 cybher0808

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cybher0808 @zoomequipd @IndiaAce