Skip to content

Add phishing simulation header insights for common training vendors#4914

Open
MSAdministrator wants to merge 3 commits into
mainfrom
add-phishing-simulation-insights
Open

Add phishing simulation header insights for common training vendors#4914
MSAdministrator wants to merge 3 commits into
mainfrom
add-phishing-simulation-insights

Conversation

@MSAdministrator

Copy link
Copy Markdown
Member

Summary

Adds informational insight (query) rules under insights/headers/ that surface phishing-simulation / security-awareness-training messages, tagged Headers and Phishing simulation. Covers the following vendors:

  • Adaptive Security
  • Arctic Wolf MSA
  • Breach Secure Now
  • BullPhish
  • CanIPhish
  • Fable
  • Huntress
  • InfoSec IQ
  • Material
  • Microsoft
  • Mimecast
  • NINJIO
  • Phish Notify
  • Phished
  • Proofpoint
  • Right Hand AI

Notes

These are informational severity query rules that identify simulation senders by their known sending domains. Several complement the exclusion rules in #4913.

🤖 Generated with Claude Code

Adds informational insight (query) rules that surface phishing
simulation / security awareness training messages from the following
vendors: Adaptive Security, Arctic Wolf MSA, Breach Secure Now,
BullPhish, CanIPhish, Fable, Huntress, InfoSec IQ, Material,
Microsoft, Mimecast, NINJIO, Phish Notify, Phished, Proofpoint, and
Right Hand AI.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@MSAdministrator
MSAdministrator requested a review from a team July 16, 2026 21:33
@MSAdministrator
MSAdministrator requested a review from a team as a code owner July 16, 2026 21:33
The root_domain linter flagged 4 literals that can never match a
root_domain comparison:
- avoidphishing.securityeducation.com (subdomain; securityeducation.com
  is already listed in the same block)
- avoidphishing.eu.securityeducation.com (subdomain; ditto)
- avoidphishing.ap.securityeducation.com (subdomain; ditto)
- corpinternal.org2 (invalid TLD; root_domain resolves to "org2.")

Removed all four dead literals. No matching coverage is lost since the
registrable domain securityeducation.com remains in each block.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@MSAdministrator

Copy link
Copy Markdown
Member Author

⚠️ Note: root_domain list may need updating

CI's root_domain misuse check flagged 4 literals in phishing_simulation_proofpoint.yml that can never match a sender.email.domain.root_domain comparison. I removed them to get CI green, but this points at a coverage gap worth reviewing:

  • avoidphishing.securityeducation.com

  • avoidphishing.eu.securityeducation.com

  • avoidphishing.ap.securityeducation.com

    These are subdomains of securityeducation.com. root_domain resolves them to securityeducation.com, which is already listed in each block — so removing them loses no coverage. However, if the intent was to match only the avoidphishing.* subdomains (and not all of securityeducation.com), the correct fix is to compare against sender.email.domain.domain instead of root_domain. Please confirm which behavior is desired.

  • corpinternal.org2

    .org2 is not a valid TLD, so root_domain resolves to org2. and this never matches. If a real domain was intended (e.g. corpinternal.org), it should be corrected rather than dropped.

More broadly: several of these simulation domain lists are long and may contain other subdomain/invalid-TLD entries that don't trip the linter but still won't match as intended. The full root_domain lists across the phishing-simulation insights may be worth an audit/refresh.

Runs the repo's mql_format.py over the new insight rules so their
source matches the canonical formatting. CI's auto-format step
reformats these but cannot commit the result back (its `git add`
glob doesn't reach insights/headers/*.yml two levels deep), so the
formatting must be committed manually.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant