Refine regex for detecting fake fax communications (#3481)

peterdj45 · web-flow · commit 0cd205a5dcfc · 2025-11-13T17:36:37.000Z
diff --git a/detection-rules/link_fake_fax_low_reputation.yml b/detection-rules/link_fake_fax_low_reputation.yml
@@ -19,7 +19,8 @@ source: |
                         '\bfax\b',
                         '[ve][[:punct:]]?fax',
                         '[[:punct:]]fax\b',
-                        '\bfax[[:punct:]]'
+                        '\bfax[[:punct:]]',
+                        'fr[[:punct:]].{0,25}document'
         )
     )
   )
@@ -33,7 +34,7 @@ source: |
             or strings.icontains(., "Fax Status")
             or strings.icontains(., "Fax ID")
             or strings.icontains(., "New Fax Document")
-            or regex.icontains(., "(?:received|have) a (?:new )?fax")
+            or regex.icontains(., '(?:received|have) (a|(?:(.?\d.?))) (?:new )?e?fax')
             or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
             or regex.icontains(.,
                                'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,8 @@ source: \|`
`19`	`19`	`'\bfax\b',`
`20`	`20`	`'[ve][[:punct:]]?fax',`
`21`	`21`	`'[[:punct:]]fax\b',`
`22`		`- '\bfax[[:punct:]]'`
	`22`	`+ '\bfax[[:punct:]]',`
	`23`	`+ 'fr[[:punct:]].{0,25}document'`
`23`	`24`	`)`
`24`	`25`	`)`
`25`	`26`	`)`
`@@ -33,7 +34,7 @@ source: \|`
`33`	`34`	`or strings.icontains(., "Fax Status")`
`34`	`35`	`or strings.icontains(., "Fax ID")`
`35`	`36`	`or strings.icontains(., "New Fax Document")`
`36`		`- or regex.icontains(., "(?:received\|have) a (?:new )?fax")`
	`37`	`+ or regex.icontains(., '(?:received\|have) (a\|(?:(.?\d.?))) (?:new )?e?fax')`
`37`	`38`	`or regex.icontains(., "to view (th(?:e\|is) )?(?:fax\|message)")`
`38`	`39`	`or regex.icontains(.,`
`39`	`40`	`'transmit(?:ted\|ting)?(?:\s+\w+){0,2}\s+(?:fax\|facsimile)',`