From fb8d3668b34301076fcfd48d25353a9e47260de0 Mon Sep 17 00:00:00 2001
From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
Date: Wed, 5 Nov 2025 15:56:06 -0800
Subject: [PATCH] Refine regex for detecting fake fax communications

Updated regex patterns to improve detection of fake fax messages.
---
 detection-rules/link_fake_fax_low_reputation.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/detection-rules/link_fake_fax_low_reputation.yml b/detection-rules/link_fake_fax_low_reputation.yml
index d4e55b1b8e6..da04c2d6805 100644
--- a/detection-rules/link_fake_fax_low_reputation.yml
+++ b/detection-rules/link_fake_fax_low_reputation.yml
@@ -19,7 +19,8 @@ source: |
                         '\bfax\b',
                         '[ve][[:punct:]]?fax',
                         '[[:punct:]]fax\b',
-                        '\bfax[[:punct:]]'
+                        '\bfax[[:punct:]]',
+                        'fr[[:punct:]].{0,25}document'
         )
     )
   )
@@ -33,7 +34,7 @@ source: |
             or strings.icontains(., "Fax Status")
             or strings.icontains(., "Fax ID")
             or strings.icontains(., "New Fax Document")
-            or regex.icontains(., "(?:received|have) a (?:new )?fax")
+            or regex.icontains(., '(?:received|have) (a|(?:(.?\d.?))) (?:new )?e?fax')
             or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
             or regex.icontains(.,
                                'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',