[PR #3058] modified rule: Cloud storage impersonation with credential theft indicators

github-actions[bot] · github-actions[bot] · commit d96760bd3583 · 2025-08-07T19:28:57.000Z
diff --git a/detection-rules/3058_credential_theft_cloud_storage_impersonation.yml b/detection-rules/3058_credential_theft_cloud_storage_impersonation.yml
@@ -4,10 +4,11 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
+  and length(body.current_thread.text) > 120
   and (
     0 < length(body.links) < 8
     and any([subject.subject, sender.display_name],
-            regex.icontains(., "cloud|storage|mailbox")
+            regex.icontains(., "(?:cloud|storage|mailbox)")
     )
   )
   and (
@@ -20,8 +21,8 @@ source: |
                             "free.{0,50}upgrade",
                             "storage.{0,50}details",
                             "storage.{0,50}quot",
-                            "mailbox|cloud|account.{0,50}disabled",
-                            "email|cloud|total.{0,50}storage"
+                            "(?:mailbox|cloud|account).{0,50}disabled",
+                            "(?:email|cloud|total).{0,50}storage"
         )
         and not strings.ilike(.scan.ocr.raw, "*free plan*")
     )
@@ -46,7 +47,6 @@ source: |
     )
     or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
-
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
@@ -65,4 +65,4 @@ detection_methods:
 id: "6c17535b-9ad1-5417-918e-f6dc344bdd92"
 og_id: "4c20f72c-0045-518c-8157-7dad5f196ecc"
 testing_pr: 3058
-testing_sha: 2a169bed7ef257e4db513e458aaf0423fdd5b4e9
+testing_sha: 2c81054d443a1adf48d852d477b1940b815376db
