[PR #3616] added rule: Subject and sender display name contain matching 32-character alphanumeric string

github-actions[bot] · github-actions[bot] · commit 9a5f7e230d51 · 2025-12-02T22:31:37.000Z
diff --git a/detection-rules/3616_suspicious_matching_subject_sender_display_name.yml b/detection-rules/3616_suspicious_matching_subject_sender_display_name.yml
@@ -0,0 +1,26 @@
+name: "Subject and sender display name contain matching 32-character alphanumeric string"
+description: "Detects messages where both the subject line and sender display name contain identical 32-character alphanumeric strings, which may indicate automated generation or coordination between these fields for malicious purposes."
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  and any(regex.extract(subject.subject, '[A-Za-z0-9]{32}'),
+          any(regex.extract(sender.display_name, '[A-Za-z0-9]{32}'),
+              ..full_match == .full_match
+          )
+  )
+
+attack_types:
+  - "Malware/Ransomware"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "da5cb864-7ca5-5d52-84af-9f3b4e841197"
+og_id: "a8a0c831-b7f7-5534-bc4a-f01ca879a619"
+testing_pr: 3616
+testing_sha: 038e22f9329645cbf3c3727fe9021865423ebfd8
