From 5832a7d6f58ae85b25e9e1236af1929c582a37d5 Mon Sep 17 00:00:00 2001
From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
Date: Fri, 24 Oct 2025 14:07:20 -0700
Subject: [PATCH 1/2] Update regex patterns for voicemail phishing detection

---
 .../link_credential_phishing_voicemail_language.yml        | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml
index 7f80a245466..c99daf5fa5a 100644
--- a/detection-rules/link_credential_phishing_voicemail_language.yml
+++ b/detection-rules/link_credential_phishing_voicemail_language.yml
@@ -24,7 +24,7 @@ source: |
                         // split phrases that start with "caller" that occur within 3 words between or only punctation 
                         'ca[li1][li1](?:er)?(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}(?:v[nm](\b|[[:punct:]])?|\bv[o0][il1]ce(?:mail|message)?|audi[o0]|missed(?:\sa\s)?|left( a)?)',
                         // strong phrases
-                        '(?:open mp3|audi[o0] note|\.wav|left a vm|[^\s]+voip[^\s]*|unanswered.*ca[li1][li1]|incoming.vm|left msg|wireless ca[li1][li1]er|VM Service|v[o0][il1]ce message|missed.ca[li1][li1](?:e[rd])?|\bca[li1][li1].(?:support|service)(?: for| log)?|missed.{0,10} VM|new v[o0][il1]cemail from|new.v.m.from.\+?\d+|new v[o0][il1]cemail?(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}transcript(s|ion)?|message received|incoming transmission|voice note)',
+                        '(?:open mp3|audi[o0] note|\.wav|left a vm|[^\s]+voip[^\s]*|unanswered.*ca[li1][li1]|incoming.vm|left msg|wireless ca[li1][li1]er|VM Service|v[o0][il1]ce message|missed.ca[li1][li1](?:e[rd])?|\bca[li1][li1].(?:support|service)(?: for| log)?|missed.{0,10} VM|new v[o0][il1]cemail from|new.v.m.from.\+?\d+|new v[o0][il1]cemail?(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}transcript(s|ion)?|message received|new message and call info|incoming transmission|voice note)',
                         // starts in the format of `(4)` and contains some voicemail keywords
                         '^\(\d\)\s(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}(?:message|voip|v[o0][il1]ce|unread|call)',
                         'ca[li1][li1](?:er)?(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}(?:playback|transcript)',
@@ -665,6 +665,11 @@ source: |
         sender.email.domain.domain in $org_domains
         and not coalesce(headers.auth_summary.dmarc.pass, false)
       )
+      // match if the sender address is blank or null
+      or (
+          regex.match(sender.email.email, "")
+          or sender.email.email is null
+      )
     )
   )
 attack_types:

From bca21abcedbd67a84385d431ff606c0aacc89e05 Mon Sep 17 00:00:00 2001
From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
Date: Mon, 27 Oct 2025 15:31:38 -0700
Subject: [PATCH 2/2] Update
 detection-rules/link_credential_phishing_voicemail_language.yml

Co-authored-by: Luke Wescott <69780712+IndiaAce@users.noreply.github.com>
---
 detection-rules/link_credential_phishing_voicemail_language.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml
index c99daf5fa5a..377645cd97b 100644
--- a/detection-rules/link_credential_phishing_voicemail_language.yml
+++ b/detection-rules/link_credential_phishing_voicemail_language.yml
@@ -24,7 +24,7 @@ source: |
                         // split phrases that start with "caller" that occur within 3 words between or only punctation 
                         'ca[li1][li1](?:er)?(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}(?:v[nm](\b|[[:punct:]])?|\bv[o0][il1]ce(?:mail|message)?|audi[o0]|missed(?:\sa\s)?|left( a)?)',
                         // strong phrases
-                        '(?:open mp3|audi[o0] note|\.wav|left a vm|[^\s]+voip[^\s]*|unanswered.*ca[li1][li1]|incoming.vm|left msg|wireless ca[li1][li1]er|VM Service|v[o0][il1]ce message|missed.ca[li1][li1](?:e[rd])?|\bca[li1][li1].(?:support|service)(?: for| log)?|missed.{0,10} VM|new v[o0][il1]cemail from|new.v.m.from.\+?\d+|new v[o0][il1]cemail?(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}transcript(s|ion)?|message received|new message and call info|incoming transmission|voice note)',
+                        '(?:open mp3|audi[o0] note|\.wav|left a vm|[^\s]+voip[^\s]*|unanswered.*ca[li1][li1]|incoming.vm|left msg|wireless ca[li1][li1]er|VM Service|v[o0][il1]ce message|missed.ca[li1][li1](?:e[rd])?|\bca[li1][li1].(?:support|service)(?: for| log)?|missed.{0,10} VM|new v[o0][il1]cemail from|new.v.m.from.\+?\d+|new v[o0][il1]cemail?(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}transcript(s|ion)?|message received|new (?:message|call|voicemail).{0,15}(?:info|notification|alert)|incoming transmission|voice note)',
                         // starts in the format of `(4)` and contains some voicemail keywords
                         '^\(\d\)\s(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}(?:message|voip|v[o0][il1]ce|unread|call)',
                         'ca[li1][li1](?:er)?(?:\w+(\s\w+)?|[[:punct:]]+|\s+){0,3}(?:playback|transcript)',