Merge pull request #389 from dreadphones/patch-14

Update Bazacall Emails.md

Campaigns/Bazacall/Bazacall Emails.md

@@ -2,11 +2,11 @@
 Bazacall malware uses emails that contain a phone number for the user to call in order to cancel a fake subscription. These emails contain no links or attachments, and use automatic payment lures to trick users into contacting the number included in the email.
 
 ## Query
-This query looks for the subject lines associated with known Bazacall emails, using a regex to match on the fake account number pattern and a few keywords that are frequently used in these subjects.
+This query looks for the subject lines associated with known Bazacall emails, using a regex to match on the fake account number pattern and a few keywords that are frequently used in these subjects. NOTE: Some emails contain the fake account number in the body of the email rather than the subject. In these instances, searching on keyword alone may surface related emails. Verify maliciousness by matching the regex for the account number in the body of the email if possible. 
 ```
 EmailEvents
-| where Subject matches regex @"[A-Z]{1,3}(?:\d{15}|\d{10})"
-    and Subject has_any('trial', 'free', 'demo', 'membership', 'premium', 'gold')
+| where Subject matches regex @"[A-Z]{1,3}(?:\d{9,15})"
+    and Subject has_any('trial', 'free', 'demo', 'membership', 'premium', 'gold', 'notification', 'notice', 'claim', 'order', 'license', 'licenses')
 ```