[PR #3431] modified rule: Credential phishing: Suspicious e-sign agreement document notification

Author: github-actions[bot]

detection-rules/3431_credential_phishing_esign_document_notification.yml

@@ -135,6 +135,11 @@ source: |
   
     // HR impersonation
     or strings.ilike(sender.display_name, "HR", "H?R", "*Human Resources*")
+  
+    // Sender display name is a phone number
+  or regex.imatch(sender.display_name,
+                  '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}'
+    )
   )
   and (
     any(body.links,
@@ -157,7 +162,8 @@ source: |
                         'enter.{0,15}teams',
                         'Review and sign',
                         'REVIEW.*DOCUMENT',
-                        'Open Document'
+                        'Open Document',
+                        'Sign Now'
         )
         // check that the display_text is all lowercase
         or (
@@ -278,4 +284,4 @@ detection_methods:
 id: "5ab6d351-9439-5acb-abf1-1c552bcf17a6"
 og_id: "9b68c2d8-951e-5e04-9fa3-2ca67d9226a6"
 testing_pr: 3431
-testing_sha: e17bb655884f2f6c2d3df3860ba734190a58d7f0
+testing_sha: bc1b20aaaacf4a3595a3f59a92cc2cbd41505775