Skip to content

Create impersonation rule for AFP#4477

Open
missingn0pe wants to merge 2 commits into
mainfrom
missingn0pe.fn.ESC-13351.impersonation_afp_australian_federal_police
Open

Create impersonation rule for AFP#4477
missingn0pe wants to merge 2 commits into
mainfrom
missingn0pe.fn.ESC-13351.impersonation_afp_australian_federal_police

Conversation

@missingn0pe
Copy link
Copy Markdown
Member

@missingn0pe missingn0pe commented May 12, 2026

Description

This rule detects impersonation attempts using Australian Federal Police terminology in emails, focusing on specific phrases in the subject and sender's display name, as well as content in the body.

Associated samples

- Sample 1

Associated hunts

- Hunt 1 (Shared Samples)
- Hunt 2 (Multi-hunt)

@missingn0pe
Create impersonation rule for AFP
93478cf 
This rule detects impersonation attempts using Australian Federal Police terminology in emails, focusing on specific phrases in the subject and sender's display name, as well as content in the body.
@missingn0pe missingn0pe requested a review from a team May 12, 2026 16:00
@missingn0pe missingn0pe requested a review from a team as a code owner May 12, 2026 16:00
github-actions Bot added a commit that referenced this pull request May 12, 2026
@github-actions
[Shared Samples] [PR #4477] added rule: PR# 4477 - Impersonation: Aus…
56b3bff 
…tralian Federal Police with criminal case language
@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label May 12, 2026
github-actions Bot added a commit that referenced this pull request May 12, 2026
@github-actions
[Test Rules] [PR #4477] added rule: Impersonation: Australian Federal…
27448f7 
… Police with criminal case language
@missingn0pe
Copy link
Copy Markdown
Member Author

missingn0pe commented May 12, 2026

Multi-hunt AU - https://hunt.limeseed.email/hunts/e4477f31-6f24-405b-94c8-2b93bd2aa927

github-actions Bot added a commit to IndiaAce/sublime-rules that referenced this pull request May 12, 2026
@github-actions
[Test Rules] [PR sublime-security#4477] added rule: Impersonation: Au…
fc98cb4 
…stralian Federal Police with criminal case language
@missingn0pe
Copy link
Copy Markdown
Member Author

missingn0pe commented May 16, 2026

Vector is quiet across any known AU servers hunted. No FP's present. Can let bake longer if needed.

@missingn0pe missingn0pe added the review-needed Indicates that a PR is waiting for review label May 16, 2026
@markmsublime
Copy link
Copy Markdown
Member

markmsublime commented May 19, 2026

Spoke with @missingn0pe offline about simplifying this rule and/or incorporating into another rule. Removing review needed label for now until direction is decided, will review again once added back!

@markmsublime markmsublime removed the review-needed Indicates that a PR is waiting for review label May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@missingn0pe @markmsublime