From bf0b2d29224d1b8e8fdd93d9db9ef67eae85c347 Mon Sep 17 00:00:00 2001 From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> Date: Tue, 28 Oct 2025 11:20:29 -0400 Subject: [PATCH 1/2] LWescott Update credential_phishing_esign_document_notification.yml --- .../credential_phishing_esign_document_notification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/credential_phishing_esign_document_notification.yml b/detection-rules/credential_phishing_esign_document_notification.yml index f8ccec6bb7b..8efaa840153 100644 --- a/detection-rules/credential_phishing_esign_document_notification.yml +++ b/detection-rules/credential_phishing_esign_document_notification.yml @@ -29,7 +29,7 @@ source: | "\\beSign", "e\\.sign", "esign.[0o]nline", - "e-d[0o]c", + "e.{0,4}d[0o]c", "e-signature", "eSignature", "eSign&Return", From a5dfa24a24cd58cdb7ef8a86d96b59bd61983eac Mon Sep 17 00:00:00 2001 From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> Date: Tue, 4 Nov 2025 08:26:14 -0500 Subject: [PATCH 2/2] Update credential_phishing_esign_document_notification.yml --- .../credential_phishing_esign_document_notification.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detection-rules/credential_phishing_esign_document_notification.yml b/detection-rules/credential_phishing_esign_document_notification.yml index 8efaa840153..354a2e57ca6 100644 --- a/detection-rules/credential_phishing_esign_document_notification.yml +++ b/detection-rules/credential_phishing_esign_document_notification.yml @@ -29,7 +29,8 @@ source: | "\\beSign", "e\\.sign", "esign.[0o]nline", - "e.{0,4}d[0o]c", + "[SsZz][lL][GgSs][Nn].*D[0o]c", + "e-d[0o]c", "e-signature", "eSignature", "eSign&Return",