[Test Rules] [PR #4370] modified rule: Fake thread with suspicious indicators

Author: github-actions[bot]

detection-rules/4370_fake_thread_suspicious_indicators.yml

@@ -148,16 +148,6 @@ source: |
     // body contains recipient SLD
     any(recipients.to,
         strings.icontains(body.current_thread.text, .email.domain.sld)
-    ),
-    // mailto mismatch from freemailer
-    (
-      any(body.links,
-          .href_url.scheme == 'mailto'
-          and .display_text is not null
-          and strings.icontains(.display_text, "@")
-          and not strings.icontains(.href_url.url, .display_text)
-      )
-      and sender.email.domain.root_domain in $free_email_providers
     )
   )
   and any(body.previous_threads,
@@ -192,4 +182,4 @@ detection_methods:
 id: "7aa90055-eac4-545b-adfc-31b2a6eef814"
 og_id: "c2e18a57-1f52-544f-bb6d-a578e286cf89"
 testing_pr: 4370
-testing_sha: 0656ba6fc7ba475ce14ec9d9db985430046a4fd3
+testing_sha: ab86b541787daa283ca767afd25d0f9d8d214515