Skip to content

Create impersonation_charter_spectrum.yml #3068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ben-sublime wants to merge 23 commits into
base: main
Choose a base branch
from
Open

Create impersonation_charter_spectrum.yml #3068

ben-sublime wants to merge 23 commits into from

Conversation

@ben-sublime
Copy link
Contributor

@ben-sublime ben-sublime commented Aug 12, 2025
edited
Loading

Description

Detects messages impersonating Charter Spectrum by using variations of 'Spectrum' or 'MyCharter' in the display name while not originating from legitimate Charter domains or failing DMARC authentication.

Associated samples

Associated hunts

@ben-sublime ben-sublime requested a review from a team as a code owner August 12, 2025 13:44
@ben-sublime ben-sublime added the in-test-rules PR is in our testing suite to collect telemetry label Aug 12, 2025
github-actions bot added a commit that referenced this pull request Aug 12, 2025
@github-actions
[PR #3068] changed rule: Brand impersonation: Charter Spectrum
7d0ca59
@ben-sublime
Update impersonation_charter_spectrum.yml
6670e83 
Added an exception for a third party mailer, ccsend.com
@ben-sublime
Update impersonation_charter_spectrum.yml
f34013e 
Reduced ccsend.com domain to root domain instead of spectrumbusiness.ccsend.com
@ben-sublime
Update impersonation_charter_spectrum.yml
4d986d6 
Missed a comma in an array
@ben-sublime
Update impersonation_charter_spectrum.yml
fc420e0
github-actions bot added a commit that referenced this pull request Aug 12, 2025
@github-actions
[PR #3068] modified rule: Brand impersonation: Charter Spectrum
37e6cf8
@ben-sublime
Update impersonation_charter_spectrum.yml
b9a7f8a 
Found additional exclusions for domains and special handling for spectrum.com and spectrum.net
@ben-sublime
Merge branch 'main' into ben-sublime-patch-3
e2d3689
@ben-sublime ben-sublime marked this pull request as draft August 15, 2025 14:57
github-actions bot added a commit that referenced this pull request Aug 15, 2025
@github-actions
[PR #3068] Delete detection rule
4281cb2
@ben-sublime ben-sublime marked this pull request as ready for review August 19, 2025 13:35
github-actions bot added a commit that referenced this pull request Aug 19, 2025
@github-actions
[PR #3068] changed rule: Brand impersonation: Charter Spectrum
9339c55
github-actions bot added a commit that referenced this pull request Aug 20, 2025
@github-actions
[PR #3068] modified rule: Brand impersonation: Charter Spectrum
ad229aa
github-actions bot added a commit that referenced this pull request Aug 21, 2025
@github-actions
[PR #3068] Delete detection rule
efd6a43
github-actions bot added a commit that referenced this pull request Aug 21, 2025
@github-actions
[PR #3068] changed rule: Brand impersonation: Charter Spectrum
7674ef0
github-actions bot added a commit that referenced this pull request Aug 21, 2025
@github-actions
[PR #3068] modified rule: Brand impersonation: Charter Spectrum
fae7c47
github-actions bot added a commit that referenced this pull request Aug 22, 2025
@github-actions
[PR #3068] modified rule: Brand impersonation: Charter Spectrum
3d1ec22
@ben-sublime ben-sublime added the review-needed Indicates that a PR is waiting for review label Aug 25, 2025
github-actions bot added a commit that referenced this pull request Aug 26, 2025
@github-actions
[PR #3068] Delete detection rule
5374013
@zoomequipd zoomequipd removed the review-needed Indicates that a PR is waiting for review label Sep 4, 2025
@MSAdministrator
Copy link
Member

MSAdministrator commented Sep 15, 2025

/update-test-rules

@MSAdministrator MSAdministrator self-requested a review September 15, 2025 16:20
@MSAdministrator MSAdministrator self-assigned this Sep 15, 2025
@zoomequipd
Copy link
Member

zoomequipd commented Sep 20, 2025

/update-test-rules

github-actions bot added a commit that referenced this pull request Sep 20, 2025
@github-actions
[PR #3068] changed rule: Brand impersonation: Charter Spectrum
8edb990
alex-herold and others added 2 commits October 28, 2025 07:59
@alex-herold
Sync .github directory from main branch
61d621e 
- Applied .github directory from main to ben-sublime-patch-3
- Ensures workflows and GitHub configurations are up to date
- Automated sync via script
@zoomequipd
Merge branch 'main' into ben-sublime-patch-3
a824995
github-actions bot added a commit that referenced this pull request Nov 6, 2025
@github-actions
[PR #3068] Delete detection rule
b67ab3b
github-actions bot added a commit that referenced this pull request Nov 6, 2025
@github-actions
[PR #3068] added rule: Brand impersonation: Charter Spectrum
a67ef43
github-actions bot added a commit that referenced this pull request Nov 9, 2025
@github-actions
[PR #3068] modified rule: Brand impersonation: Charter Spectrum
7a51d9b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MSAdministrator MSAdministrator Awaiting requested review from MSAdministrator

At least 1 approving review is required to merge this pull request.

Assignees

@MSAdministrator MSAdministrator

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ben-sublime @MSAdministrator @zoomequipd @alex-herold