From ab36e96e64bee1f7732c8bb7456b77b6061af98c Mon Sep 17 00:00:00 2001
From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com>
Date: Wed, 17 Dec 2025 13:32:44 -0600
Subject: [PATCH 1/4] Update attachment_sus_employee_doc.yml

---
 detection-rules/attachment_sus_employee_doc.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/detection-rules/attachment_sus_employee_doc.yml b/detection-rules/attachment_sus_employee_doc.yml
index 2bd1426334a..523c937ecda 100644
--- a/detection-rules/attachment_sus_employee_doc.yml
+++ b/detection-rules/attachment_sus_employee_doc.yml
@@ -44,7 +44,7 @@ source: |
   )
   and 0 < length(attachments) <= 3
   and any(attachments,
-          .file_extension in ("doc", "docx", "docm", "pdf")
+          .file_extension in ("doc", "docx", "docm", "pdf", "pptx")
           and (
             strings.icontains(.file_name, 'salary')
             or strings.icontains(.file_name, 'compensation')
@@ -54,6 +54,7 @@ source: |
             or strings.icontains(.file_name, 'merit')
             or strings.icontains(.file_name, 'handbook')
             or strings.icontains(.file_name, 'benefits')
+            or strings.icontains(.file_name, 'empl0yment')
           )
           and (
             strings.icontains(.file_name, 'review')
@@ -76,6 +77,7 @@ source: |
             or regex.icontains(.file_name, 'adjust(?:ed|ment)')
             or regex.icontains(.file_name, 'update(?:d| to)')
             or regex.icontains(.file_name, '(January|February|March|April|May|June|July|August|September|October|November|December)\s20[2,3]{1}\d{1}')
+            or strings.icontains(.file_name, 'contract')
             or (
               // file name contains recipient's email
               any(recipients.to,

From cce6a893c14ed5824e5c5f75b4f2a461c15d6b03 Mon Sep 17 00:00:00 2001
From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com>
Date: Wed, 17 Dec 2025 13:35:28 -0600
Subject: [PATCH 2/4] Update attachment_sus_employee_doc.yml

---
 detection-rules/attachment_sus_employee_doc.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/attachment_sus_employee_doc.yml b/detection-rules/attachment_sus_employee_doc.yml
index 523c937ecda..f687c26cb1b 100644
--- a/detection-rules/attachment_sus_employee_doc.yml
+++ b/detection-rules/attachment_sus_employee_doc.yml
@@ -16,6 +16,7 @@ source: |
       or strings.icontains(subject.subject, 'handbook')
       or strings.icontains(subject.subject, 'benefits')
       or strings.icontains(subject.subject, 'earnings')
+      or strings.icontains(subject.subject, 'contract')
     )
     and (
       strings.icontains(subject.subject, 'review')

From f1f930e93bf68a6cd6af144ad78f87b62dee8d4d Mon Sep 17 00:00:00 2001
From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com>
Date: Mon, 22 Dec 2025 13:23:24 -0600
Subject: [PATCH 3/4] Update attachment_sus_employee_doc.yml

---
 .../attachment_sus_employee_doc.yml           | 74 ++++++++++---------
 1 file changed, 39 insertions(+), 35 deletions(-)

diff --git a/detection-rules/attachment_sus_employee_doc.yml b/detection-rules/attachment_sus_employee_doc.yml
index f687c26cb1b..4cf49334628 100644
--- a/detection-rules/attachment_sus_employee_doc.yml
+++ b/detection-rules/attachment_sus_employee_doc.yml
@@ -4,43 +4,45 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
+  // NOTE: This rule is designed for these values to match/sync subject.base and file names
   and (
     // the subject contains pay related items
     (
-      strings.icontains(subject.subject, 'salary')
-      or regex.icontains(subject.subject, '\bpay(?:out|roll|\b)')
-      or strings.icontains(subject.subject, 'remuneration')
-      or strings.icontains(subject.subject, 'bonus')
-      or strings.icontains(subject.subject, 'incentive')
-      or strings.icontains(subject.subject, 'merit')
-      or strings.icontains(subject.subject, 'handbook')
-      or strings.icontains(subject.subject, 'benefits')
-      or strings.icontains(subject.subject, 'earnings')
-      or strings.icontains(subject.subject, 'contract')
+      strings.icontains(subject.base, 'salary')
+      or regex.icontains(subject.base, '\bpay(?:out|roll|\b)')
+      or strings.icontains(subject.base, 'remuneration')
+      or strings.icontains(subject.base, 'bonus')
+      or strings.icontains(subject.base, 'incentive')
+      or strings.icontains(subject.base, 'merit\b')
+      or strings.icontains(subject.base, 'handbook')
+      or strings.icontains(subject.base, 'benefits')
+      or strings.icontains(subject.base, 'earnings')
+      or strings.icontains(subject.base, 'contract')
+      or regex.icontains(subject.base, 'empl[o|0]yment')
     )
     and (
-      strings.icontains(subject.subject, 'review')
-      or strings.icontains(subject.subject, 'breakdown')
-      or strings.icontains(subject.subject, 'Access Your')
-      or strings.icontains(subject.subject, 'evaluation')
-      or regex.icontains(subject.subject, 'eval\b')
-      or strings.icontains(subject.subject, 'assessment')
-      or strings.icontains(subject.subject, 'appraisal')
-      or strings.icontains(subject.subject, 'feedback')
-      or strings.icontains(subject.subject, 'performance')
-      or strings.icontains(subject.subject, 'adjustment')
-      or strings.icontains(subject.subject, 'qualification')
-      or strings.icontains(subject.subject, 'increase')
-      or strings.icontains(subject.subject, 'raise')
-      or strings.icontains(subject.subject, 'change')
-      or strings.icontains(subject.subject, 'modification')
-      or strings.icontains(subject.subject, 'distribution')
-      or strings.icontains(subject.subject, 'details')
-      or regex.icontains(subject.subject, 'revis(?:ed|ion)')
-      or regex.icontains(subject.subject, 'amend(?:ed|ment)')
-      or regex.icontains(subject.subject, 'update(?:d| to)')
-      or strings.icontains(subject.subject, 'plan')
-      or strings.icontains(subject.subject, 'notification')
+      strings.icontains(subject.base, 'review')
+      or strings.icontains(subject.base, 'breakdown')
+      or strings.icontains(subject.base, 'Access Your')
+      or strings.icontains(subject.base, 'evaluation')
+      or regex.icontains(subject.base, 'eval\b')
+      or strings.icontains(subject.base, 'assessment')
+      or strings.icontains(subject.base, 'appraisal')
+      or strings.icontains(subject.base, 'feedback')
+      or strings.icontains(subject.base, 'performance')
+      or strings.icontains(subject.base, 'adjustment')
+      or strings.icontains(subject.base, 'qualification')
+      or strings.icontains(subject.base, 'increase')
+      or strings.icontains(subject.base, 'raise')
+      or strings.icontains(subject.base, 'change')
+      or strings.icontains(subject.base, 'modification')
+      or strings.icontains(subject.base, 'distribution')
+      or strings.icontains(subject.base, 'details')
+      or regex.icontains(subject.base, 'revis(?:ed|ion)')
+      or regex.icontains(subject.base, 'amend(?:ed|ment)')
+      or regex.icontains(subject.base, 'update(?:d| to)')
+      or strings.icontains(subject.base, 'plan')
+      or strings.icontains(subject.base, 'notification')
     )
   )
   and 0 < length(attachments) <= 3
@@ -52,10 +54,10 @@ source: |
             or regex.icontains(.file_name, '\bpay(?:roll|\b)')
             or strings.icontains(.file_name, 'bonus')
             or strings.icontains(.file_name, 'incentive')
-            or strings.icontains(.file_name, 'merit')
+            or strings.icontains(.file_name, 'merit\b')
             or strings.icontains(.file_name, 'handbook')
             or strings.icontains(.file_name, 'benefits')
-            or strings.icontains(.file_name, 'empl0yment')
+            or regex.icontains(.file_name, 'empl[o|0]yment')
           )
           and (
             strings.icontains(.file_name, 'review')
@@ -77,7 +79,9 @@ source: |
             or regex.icontains(.file_name, 'amend(?:ed|ment)')
             or regex.icontains(.file_name, 'adjust(?:ed|ment)')
             or regex.icontains(.file_name, 'update(?:d| to)')
-            or regex.icontains(.file_name, '(January|February|March|April|May|June|July|August|September|October|November|December)\s20[2,3]{1}\d{1}')
+            or regex.icontains(.file_name,
+                               '(January|February|March|April|May|June|July|August|September|October|November|December)\s20[2,3]{1}\d{1}'
+            )
             or strings.icontains(.file_name, 'contract')
             or (
               // file name contains recipient's email

From ce0d868eb01bc69385ecf4711944d2e53c3f7a94 Mon Sep 17 00:00:00 2001
From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com>
Date: Mon, 22 Dec 2025 16:09:00 -0600
Subject: [PATCH 4/4] Update attachment_sus_employee_doc.yml

---
 detection-rules/attachment_sus_employee_doc.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/detection-rules/attachment_sus_employee_doc.yml b/detection-rules/attachment_sus_employee_doc.yml
index 4cf49334628..051133c778d 100644
--- a/detection-rules/attachment_sus_employee_doc.yml
+++ b/detection-rules/attachment_sus_employee_doc.yml
@@ -18,7 +18,7 @@ source: |
       or strings.icontains(subject.base, 'benefits')
       or strings.icontains(subject.base, 'earnings')
       or strings.icontains(subject.base, 'contract')
-      or regex.icontains(subject.base, 'empl[o|0]yment')
+      or regex.icontains(subject.base, 'empl[o0]yment')
     )
     and (
       strings.icontains(subject.base, 'review')
@@ -57,7 +57,7 @@ source: |
             or strings.icontains(.file_name, 'merit\b')
             or strings.icontains(.file_name, 'handbook')
             or strings.icontains(.file_name, 'benefits')
-            or regex.icontains(.file_name, 'empl[o|0]yment')
+            or regex.icontains(.file_name, 'empl[o0]yment')
           )
           and (
             strings.icontains(.file_name, 'review')