[Test Rules] [PR #4368] modified rule: Link: Invoice-related BEC with newly registered domain < 60 days

github-actions[bot] · github-actions[bot] · commit 067d0d4102e1 · 2026-04-28T02:16:02.000Z
diff --git a/detection-rules/4368_link_previous_thread_invoice.yml b/detection-rules/4368_link_previous_thread_invoice.yml
@@ -23,7 +23,6 @@ source: |
                               'ACH',
                               'kindly download',
                               'document',
-                              'kindly',
                               'urgently',
                               'confirm'
               )
@@ -32,30 +31,18 @@ source: |
         any(ml.nlu_classifier(body.current_thread.text).intents,
             .name == "bec" and .confidence != "low"
         )
-        or (
-          any(ml.nlu_classifier(body.current_thread.text).entities,
-              .name in ("urgency", "request")
-          )
-        )
         or any(ml.nlu_classifier(body.current_thread.text).tags,
                .name in ("invoice", "payment")
         )
+        or any(ml.nlu_classifier(body.current_thread.text).entities,
+               .name == "request" and .text == "kindly download to view"
+        )
       )
     )
     // prevent benign emails
     and not any(ml.nlu_classifier(body.current_thread.text).intents,
                 .name == "benign"
     )
-    // and (
-    //   (
-    //     profile.by_sender().prevalence != "common"
-    //     and not profile.by_sender().solicited
-    //   )
-    //   or (
-    //     profile.by_sender().any_messages_malicious_or_spam
-    //     and not profile.by_sender().any_messages_benign
-    //   )
-    // )
     // negate highly trusted sender domains unless they fail DMARC authentication
     and (
       (
@@ -79,4 +66,4 @@ detection_methods:
 id: "51c6b50f-7a68-5ee8-9897-510d11bc255c"
 og_id: "fee020b6-4a01-5ed3-a924-b5aa4415d3e9"
 testing_pr: 4368
-testing_sha: 0e93397c19fc459f8645002eb59dfe1640852ffc
+testing_sha: 0b56aa4ef742827747930a6fe1636c2a349bf5ab
