[Shared Samples] [PR #4378] modified rule: PR# 4378 - Link: Single character path with credential theft body and self sender behavior or invalid recipient

github-actions[bot] · github-actions[bot] · commit 4434a4e27ada · 2026-04-23T17:06:32.000Z
diff --git a/detection-rules/4378_self_sender_cred_theft_short_path_link.yml b/detection-rules/4378_self_sender_cred_theft_short_path_link.yml
@@ -1,10 +1,10 @@
-name: "PR# 4378 - Link: Self-sent credential theft with single character path"
-description: "Detects messages sent to oneself containing links with single character paths and credential theft language, commonly used to bypass security filters and deliver malicious content."
+name: "PR# 4378 - Link: Single character path with credential theft body and self sender behavior or invalid recipient"
+description: "Message where the sender and recipient are the same or the recipient domain is invalid, contains a link with a single character path and no query parameters or fragments, and includes credential theft language."
 type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  // self sender
+  // self sender or invaild recipent domain
   and length(recipients.to) == 1
   and (
     sender.email.email == recipients.to[0].email.email
