Skip to content

Refine name and description for UPS impersonation rule#4633

Open
cybher0808 wants to merge 1 commit into
mainfrom
cybher0808.fn.esc-15123.upsimpersonation
Open

Refine name and description for UPS impersonation rule#4633
cybher0808 wants to merge 1 commit into
mainfrom
cybher0808.fn.esc-15123.upsimpersonation

Conversation

@cybher0808

@cybher0808 cybher0808 commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown
Member

Description

Adding UPS-\w+ for sender.display to the rule.

Associated samples

Associated hunts

@cybher0808 cybher0808 requested a review from a team June 8, 2026 18:43
@cybher0808 cybher0808 requested a review from a team as a code owner June 8, 2026 18:43
@cybher0808 cybher0808 self-assigned this Jun 8, 2026
@cybher0808 cybher0808 added the in-test-rules PR is in our testing suite to collect telemetry label Jun 8, 2026
github-actions Bot added a commit that referenced this pull request Jun 8, 2026
@github-actions
[Test Rules] [PR #4633] added rule: Brand Impersonation: UPS Delivery
2c84ea9
github-actions Bot added a commit that referenced this pull request Jun 8, 2026
@github-actions
[Shared Samples] [PR #4633] added rule: PR# 4633 - Brand Impersonatio…
ca7fae2 
…n: UPS Delivery
@cybher0808

cybher0808 commented Jun 10, 2026

Copy link
Copy Markdown
Member Author

Most recent - update after sharing results from mode - hunt - 3Days. Submitting a R4R.

@cybher0808 cybher0808 added the review-needed Indicates that a PR is waiting for review label Jun 10, 2026
IndiaAce
IndiaAce requested changes Jun 10, 2026
View reviewed changes
Comment thread detection-rules/impersonation_ups.yml
@@ -1,6 +1,6 @@
name: "Brand impersonation: UPS"
name: "Brand Impersonation: UPS Delivery"

@IndiaAce IndiaAce Jun 10, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
name: "Brand Impersonation: UPS Delivery"
name: "Brand impersonation: UPS Delivery"

Is UPS Delivery the name of the org? Genuinely not sure, if it's just the word "delivery" lets lowercase that please and thank you!

Comment thread detection-rules/impersonation_ups.yml
and sender.email.domain.root_domain not in ("ups.com", "upsemail.com")
and (
sender.display_name in~ ("UPS My Choice", "UPS Services")
or regex.icontains(sender.display_name, 'UPS-\w+')

@IndiaAce IndiaAce Jun 10, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non blocking since it's alllll over this rule, but icontains is case insensitive so no need to all-caps that. Also I found a sample that we might want to match on this but it's Ups.com so your "-" here causes it not to match, you don't have to hoover this up into your change and I'm aligned with approving this tbh but wanted to show you: https://platform.sublime.security/messages/507db04ef7f2d59883b680ea4827f37284d34299084e48bef04816fda4afdaab?preview_id=019e84b4-3c38-7661-8dfe-1663a5f2ed4f nice find on this!

IndiaAce
IndiaAce requested changes Jun 10, 2026
View reviewed changes

@IndiaAce IndiaAce left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few nits!

@IndiaAce IndiaAce removed the review-needed Indicates that a PR is waiting for review label Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IndiaAce IndiaAce IndiaAce requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@cybher0808 cybher0808

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cybher0808 @IndiaAce