[PR #3434] modified rule: Fake voicemail notification (untrusted sender)

github-actions[bot] · github-actions[bot] · commit c852c502dad2 · 2025-10-27T22:39:53.000Z
diff --git a/detection-rules/3434_link_credential_phishing_voicemail_language.yml b/detection-rules/3434_link_credential_phishing_voicemail_language.yml
@@ -24,7 +24,7 @@ source: |
                         // split phrases that start with "caller" that occur within 3 words between or only punctation 
                         'ca[li1][li1](?:er)?(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}(?:v[nm](\b|[[:punct:]])?|\bv[o0][il1]ce(?:mail|message)?|audi[o0]|missed(?:\sa\s)?|left( a)?)',
                         // strong phrases
-                        '(?:open mp3|audi[o0] note|\.wav|left a vm|[^\s]+voip[^\s]*|unanswered.*ca[li1][li1]|incoming.vm|left msg|wireless ca[li1][li1]er|VM Service|v[o0][il1]ce message|missed.ca[li1][li1](?:e[rd])?|\bca[li1][li1].(?:support|service)(?: for| log)?|missed.{0,10} VM|new v[o0][il1]cemail from|new.v.m.from.\+?\d+|new v[o0][il1]cemail?(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}transcript(s|ion)?|message received|new message and call info|incoming transmission|voice note)',
+                        '(?:open mp3|audi[o0] note|\.wav|left a vm|[^\s]+voip[^\s]*|unanswered.*ca[li1][li1]|incoming.vm|left msg|wireless ca[li1][li1]er|VM Service|v[o0][il1]ce message|missed.ca[li1][li1](?:e[rd])?|\bca[li1][li1].(?:support|service)(?: for| log)?|missed.{0,10} VM|new v[o0][il1]cemail from|new.v.m.from.\+?\d+|new v[o0][il1]cemail?(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}transcript(s|ion)?|message received|new (?:message|call|voicemail).{0,15}(?:info|notification|alert)|incoming transmission|voice note)',
                         // starts in the format of `(4)` and contains some voicemail keywords
                         '^\(\d\)\s(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}(?:message|voip|v[o0][il1]ce|unread|call)',
                         'ca[li1][li1](?:er)?(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}(?:playback|transcript)',
@@ -684,4 +684,4 @@ detection_methods:
 id: "803285d4-03f5-58f6-bc98-123d59ec795e"
 og_id: "74ba7787-e543-5ce8-b6eb-e1ecdb8f1d67"
 testing_pr: 3434
-testing_sha: 5832a7d6f58ae85b25e9e1236af1929c582a37d5
+testing_sha: bca21abcedbd67a84385d431ff606c0aacc89e05
