[PR #3438] modified rule: Credential phishing: Suspicious e-sign agreement document notification

github-actions[bot] · github-actions[bot] · commit 08b1429cd69b · 2025-11-04T13:43:25.000Z
diff --git a/detection-rules/3438_credential_phishing_esign_document_notification.yml b/detection-rules/3438_credential_phishing_esign_document_notification.yml
@@ -29,7 +29,8 @@ source: |
                           "\\beSign",
                           "e\\.sign",
                           "esign.[0o]nline",
-                          "e.{0,4}d[0o]c",
+                          "[SsZz][lL][GgSs][Nn].*D[0o]c",
+                          "e-d[0o]c",
                           "e-signature",
                           "eSignature",
                           "eSign&Return",
@@ -275,4 +276,4 @@ detection_methods:
 id: "2a37b008-5bb3-5e3d-9e45-b6d92e21d4ef"
 og_id: "9b68c2d8-951e-5e04-9fa3-2ca67d9226a6"
 testing_pr: 3438
-testing_sha: bf0b2d29224d1b8e8fdd93d9db9ef67eae85c347
+testing_sha: a5dfa24a24cd58cdb7ef8a86d96b59bd61983eac
