[Shared Samples] [PR #4367] modified rule: PR# 4367 - Link: Cloud service with credential theft language

Author: github-actions[bot]

detection-rules/4367_link_credential_phishing_cloud_service.yml

@@ -26,6 +26,11 @@ source: |
     // check for SPF or DMARC passed
     and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
   )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and not (
+    sender.email.domain.root_domain in $high_trust_sender_root_domains
+    and coalesce(headers.auth_summary.dmarc.pass, false)
+  )
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: