[senderprofle] Remove Bulk Set 5

[MSAdministrator]

Description

Removing sender profile from some identified rules

Rules & Notes

Should Merge	Rule Name	Notes
Yes	Attachment: Office document with VSTO add-in	Only LB gained but minimal
	Attachment: Office file with suspicious function calls or downloaded file path
Yes	Attachment: Link to [Doubleclick.net](http://doubleclick.net/) open redirect	0 gained
Yes	Attachment: Compensation review lure with QR code	Gained malicious
Yes	Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)	Malicious gained
Yes	VIP impersonation with BEC language (near match, untrusted sender)	0 gained
No	VIP impersonation with urgent request (strict match, untrusted sender)	Too many LB
No	Link: Free file hosting with undisclosed recipients	Too many LB

Rules Evaluated & Reverted

• VIP impersonation with urgent request (strict match, untrusted sender)
• Link: Free file hosting with undisclosed recipients

[github-actions]

Test Rules Sync - Excluded

This PR contains rules that use ml.link_analysis, which is not supported in the test-rules environment.

The hunting-required label has been applied. These rules will need to be tested through alternative methods.

[MSAdministrator]

Rule Test Results — 13MAR2026

Rule: Attachment: Office document with VSTO add-in
PR: 4102

Summary

Metric	Value
Total Samples	7
Both Rules Match	1
Gained (new only)	6
↳ Excluded	0
↳ Not Excluded	6
Gained/Both Ratio	600.0%

Verdict Breakdown (Gained & Not Excluded)

Verdict	Count	%
Malicious	0	0.0%
Suspicious	0	0.0%
Likely Benign	6	100.0%
Spam	0	0.0%
Graymail	0	0.0%

Malicious over Likely Benign: -100.0%

Incremental Value

Metric	Count	% of Gained (Not Excluded)
Already caught by another rule	0	0.0%
Truly new (no other rule matched)	6	100.0%
In shared EMLs (known bad)	0	0.0%

Core Rule Active at Message Time

Status	Count
Active	6
Not Active	0

Action Breakdown (Gained & Not Excluded)

Action	Count
No Action	6

Top Other Matched Rules

Rule	Count
No Other rules matched	6
Attachment: Office document with VSTO add-in	1

[MSAdministrator]

Rule Test Results — 09APR2026

Rule: Attachment: Office document with VSTO add-in
PR: 4102

Summary

Metric	Value
Total Samples	9
Both Rules Match	0
Gained (new only)	9
↳ Excluded	0
↳ Not Excluded	9
Gained/Both Ratio	inf%

Verdict Breakdown (Gained & Not Excluded)

Verdict	Count	%
Malicious	0	0.0%
Suspicious	0	0.0%
Likely Benign	8	88.9%
Spam	0	0.0%
Graymail	0	0.0%

Malicious over Likely Benign: -100.0%

Incremental Value

Metric	Count	% of Gained (Not Excluded)
Already caught by another rule	0	0.0%
Truly new (no other rule matched)	9	100.0%
In shared EMLs (known bad)	0	0.0%

Core Rule Active at Message Time

Status	Count
Active	9
Not Active	0

Action Breakdown (Gained & Not Excluded)

Action	Count
No Action	9

Top Other Matched Rules

Rule	Count
No Other rules matched	9

[MSAdministrator]

multi-hunt

[MSAdministrator]

Rule Test Results — 13MAR2026

Rule: Attachment: Office file with suspicious function calls or downloaded file path
PR: 4102

Summary

Metric	Value
Total Samples	200
Both Rules Match	1
Gained (new only)	199
↳ Excluded	12
↳ Not Excluded	187
Gained/Both Ratio	19900.0%

Verdict Breakdown (Gained & Not Excluded)

Verdict	Count	%
Malicious	0	0.0%
Suspicious	0	0.0%
Likely Benign	186	99.5%
Spam	0	0.0%
Graymail	0	0.0%

Malicious over Likely Benign: -100.0%

Incremental Value

Metric	Count	% of Gained (Not Excluded)
Already caught by another rule	7	3.7%
Truly new (no other rule matched)	180	96.3%
In shared EMLs (known bad)	0	0.0%

Core Rule Active at Message Time

Status	Count
Active	184
Not Active	3

Action Breakdown (Gained & Not Excluded)

Action	Count
No Action	184
restore	1
delete_message	1
webhook	1

Top Other Matched Rules

Rule	Count
No Other rules matched	194
Attachment: PowerShell content	1
Attachment: Office file with suspicious function calls or downloaded file path	1
Attachment: EML file with HTML attachment (unsolicited)	1

[MSAdministrator]

multi-hunt

[MSAdministrator]

Rule Test Results — 13MAR2026

Rule: Unknown
PR: Unknown

Summary

Metric	Value
Total Samples	0
Both Rules Match	0
Gained (new only)	0
↳ Excluded	0
↳ Not Excluded	0
Gained/Both Ratio	inf%

Verdict Breakdown (Gained & Not Excluded)

Verdict	Count	%
Malicious	0	N/A
Suspicious	0	N/A
Likely Benign	0	N/A
Spam	0	N/A
Graymail	0	N/A

Malicious over Likely Benign: inf%

Incremental Value

Metric	Count	% of Gained (Not Excluded)
Already caught by another rule	0	N/A
Truly new (no other rule matched)	0	N/A
In shared EMLs (known bad)	0	N/A

Core Rule Active at Message Time

Status	Count
Active	0
Not Active	0

Action Breakdown (Gained & Not Excluded)

Action	Count

Top Other Matched Rules

Rule	Count

Top Affected Orgs

Org	Gained Count

Top Global Exclusion Rules

Rule	Count

[MSAdministrator]

Rule Test Results — 09APR2026

Rule: Unknown
PR: Unknown

Summary

Metric	Value
Total Samples	0
Both Rules Match	0
Gained (new only)	0
↳ Excluded	0
↳ Not Excluded	0
Gained/Both Ratio	inf%

Verdict Breakdown (Gained & Not Excluded)

Verdict	Count	%
Malicious	0	N/A
Suspicious	0	N/A
Likely Benign	0	N/A
Spam	0	N/A
Graymail	0	N/A

Malicious over Likely Benign: inf%

Incremental Value

Metric	Count	% of Gained (Not Excluded)
Already caught by another rule	0	N/A
Truly new (no other rule matched)	0	N/A
In shared EMLs (known bad)	0	N/A

Core Rule Active at Message Time

Status	Count
Active	0
Not Active	0

Action Breakdown (Gained & Not Excluded)

Action	Count

Top Other Matched Rules

Rule	Count

[MSAdministrator]

Rule Test Results — 13MAR2026

Rule: Attachment: Compensation review lure with QR code
PR: 4102

Summary

Metric	Value
Total Samples	525
Both Rules Match	511
Gained (new only)	14
↳ Excluded	1
↳ Not Excluded	13
Gained/Both Ratio	2.7%

Verdict Breakdown (Gained & Not Excluded)

Verdict	Count	%
Malicious	13	100.0%
Suspicious	0	0.0%
Likely Benign	0	0.0%
Spam	0	0.0%
Graymail	0	0.0%

Malicious over Likely Benign: inf%

Incremental Value

Metric	Count	% of Gained (Not Excluded)
Already caught by another rule	3	23.1%
Truly new (no other rule matched)	10	76.9%
In shared EMLs (known bad)	0	0.0%

Core Rule Active at Message Time

Status	Count
Active	0
Not Active	13

Action Breakdown (Gained & Not Excluded)

Action	Count
No Action	10
webhook	1
move_to_spam	1
quarantine_message	1

Top Other Matched Rules

Rule	Count
Attachment: Compensation review lure with QR code	513
QR Code with suspicious indicators	446
Attachment: QR code with credential phishing indicators	423
Attachment: PDF with recipient email in link	405
Link: QR Code with suspicious language (untrusted sender)	396
No Other rules matched	352
Brand impersonation: Adobe (QR code)	204
Attachment: QR code link with base64-encoded recipient address	152
Link: QR code with phishing disposition in img or pdf	111
Attachment: Adobe image lure in body or attachment with suspicious link	44

[MSAdministrator]

Rule Test Results — 13MAR2026

Rule: Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)
PR: 4102

Summary

Metric	Value
Total Samples	1
Both Rules Match	1
Gained (new only)	0
↳ Excluded	0
↳ Not Excluded	0
Gained/Both Ratio	0.0%

Verdict Breakdown (Gained & Not Excluded)

Verdict	Count	%
Malicious	0	N/A
Suspicious	0	N/A
Likely Benign	0	N/A
Spam	0	N/A
Graymail	0	N/A

Malicious over Likely Benign: inf%

Incremental Value

Metric	Count	% of Gained (Not Excluded)
Already caught by another rule	0	N/A
Truly new (no other rule matched)	0	N/A
In shared EMLs (known bad)	0	N/A

Core Rule Active at Message Time

Status	Count
Active	0
Not Active	0

Action Breakdown (Gained & Not Excluded)

Action	Count

Top Other Matched Rules

Rule	Count
Attachment: Microsoft impersonation via PDF with link and suspicious language	1
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)	1

[MSAdministrator]

Rule Test Results — 10APR2026

Rule: Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)
PR: 4102

Summary

Metric	Value
Total Samples	6
Both Rules Match	4
Gained (new only)	2
↳ Excluded	0
↳ Not Excluded	2
Gained/Both Ratio	50.0%

Verdict Breakdown (Gained & Not Excluded)

Verdict	Count	%
Malicious	2	100.0%
Suspicious	0	0.0%
Likely Benign	0	0.0%
Spam	0	0.0%
Graymail	0	0.0%

Malicious over Likely Benign: inf%

Incremental Value

Metric	Count	% of Gained (Not Excluded)
Already caught by another rule	0	0.0%
Truly new (no other rule matched)	2	100.0%
In shared EMLs (known bad)	0	0.0%

Core Rule Active at Message Time

Status	Count
Active	0
Not Active	2

Action Breakdown (Gained & Not Excluded)

Action	Count
No Action	2

Top Other Matched Rules

Rule	Count
Attachment: PDF with credential theft language and link to a free subdomain (unsolicited)	4
Brand impersonation: DocuSign branded attachment lure with no DocuSign links	3
Brand impersonation: DocuSign PDF attachment with suspicious link	3
No Other rules matched	2
Fake voicemail notification (untrusted sender)	1

[MSAdministrator]

0 results

[MSAdministrator]

Rule Test Results — 16MAR2026

Rule: VIP impersonation with urgent request (strict match, untrusted sender)
PR: 4102

Summary

Metric	Value
Total Samples	11,534
Both Rules Match	1,505
Gained (new only)	10,029
↳ Excluded	1,660
↳ Not Excluded	8,369
Gained/Both Ratio	666.4%

Verdict Breakdown (Gained & Not Excluded)

Verdict	Count	%
Malicious	198	2.4%
Suspicious	99	1.2%
Likely Benign	7,800	93.2%
Spam	6	0.1%
Graymail	182	2.2%

Malicious over Likely Benign: -97.5%

Incremental Value

Metric	Count	% of Gained (Not Excluded)
Already caught by another rule	497	5.9%
Truly new (no other rule matched)	7,872	94.1%
In shared EMLs (known bad)	34	0.4%

Core Rule Active at Message Time

Status	Count
Active	7,683
Not Active	686

Action Breakdown (Gained & Not Excluded)

Action	Count
No Action	8,252
quarantine_message	57
restore	23
webhook	14
warning_banner	6
auto_review	5
slack_incoming_webhook	3
move_to_spam	2
send_to_asa	2
apply warning banner to	2
trash	1
track_link_clicks	1
quarantine	1

Top Other Matched Rules

Rule	Count
No Other rules matched	8,254
Recon - Link in Attachment with a Request	26
Attachment: PDF contains W9 or invoice YARA signatures	22
Recon - Potential Wire Fraud (ABA)	19
Recon - Financial or Suspicious Sender Language in Sender Display Name with Link in Attachment	13
Recon - Potential Wire Fraud (IBAN)	13
Callback phishing in body or attachment (untrusted sender)	10
Brand impersonation: Internal Revenue Service	8
Commonly abused sender TLD with engaging language	8

[MSAdministrator]

Rule Test Results — 16MAR2026

Rule: Link: Free file hosting with undisclosed recipients
PR: 4102

Summary

Metric	Value
Total Samples	12,652
Both Rules Match	612
Gained (new only)	12,040
↳ Excluded	3,580
↳ Not Excluded	8,460
Gained/Both Ratio	1967.3%

Verdict Breakdown (Gained & Not Excluded)

Verdict	Count	%
Malicious	105	1.2%
Suspicious	179	2.1%
Likely Benign	8,126	96.1%
Spam	2	0.0%
Graymail	13	0.2%

Malicious over Likely Benign: -98.7%

Incremental Value

Metric	Count	% of Gained (Not Excluded)
Already caught by another rule	766	9.1%
Truly new (no other rule matched)	7,694	90.9%
In shared EMLs (known bad)	5	0.1%

Core Rule Active at Message Time

Status	Count
Active	8,394
Not Active	66

Action Breakdown (Gained & Not Excluded)

Action	Count
No Action	7,778
webhook	637
quarantine_message	15
auto_review	11
warning_banner	5
move_to_spam	5
apply_previous_banner	4
send_to_asa	2
trash	2
slack_incoming_webhook	1

Top Other Matched Rules

Rule	Count
No Other rules matched	11,932
Free subdomain link with credential theft indicators	684
Credential phishing content and link (untrusted sender)	81
Suspicious message with unscannable Cloudflare link	61
Link: Unsolicited email contains link to page containing Tycoon URI structure	57
Credential phishing: DocuSign embedded image lure with no DocuSign domains in links	47
Credential phishing: Suspicious e-sign agreement document notification	45
Credential phishing: Engaging language and other indicators (untrusted sender)	45
Brand impersonation: Dropbox	33
Credential phishing link (unknown sender)	27