[Shared Samples] [PR #4289] modified rule: PR# 4289 - Fake thread with suspicious indicators

github-actions[bot] · github-actions[bot] · commit 0972364d7a99 · 2026-04-07T16:04:45.000Z
diff --git a/detection-rules/4289_fake_thread_suspicious_indicators.yml b/detection-rules/4289_fake_thread_suspicious_indicators.yml
@@ -152,7 +152,7 @@ source: |
     // mailto mismatch from freemailer
     (
       any(body.links,
-          strings.istarts_with(.href_url.url, "mailto:")
+          .href_url.scheme == 'mailto'
           and .display_text is not null
           and strings.icontains(.display_text, "@")
           and not strings.icontains(.href_url.url, .display_text)

Original file line number	Diff line number	Diff line change
`@@ -152,7 +152,7 @@ source: \|`
`152`	`152`	`// mailto mismatch from freemailer`
`153`	`153`	`(`
`154`	`154`	`any(body.links,`
`155`		`- strings.istarts_with(.href_url.url, "mailto:")`
	`155`	`+ .href_url.scheme == 'mailto'`
`156`	`156`	`and .display_text is not null`
`157`	`157`	`and strings.icontains(.display_text, "@")`
`158`	`158`	`and not strings.icontains(.href_url.url, .display_text)`