Skip to content

Commit 465e29d

Browse files
[Test Rules] [PR #4498] modified rule: Link: Generic financial document and suspicious hosting template
1 parent b8b74a5 commit 465e29d

1 file changed

Lines changed: 8 additions & 17 deletions

File tree

detection-rules/4498_link_financial_document_timeline_template.yml

Lines changed: 8 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -4,14 +4,11 @@ type: "rule"
44
severity: "medium"
55
source: |
66
type.inbound
7-
// standard generic greeting
8-
and (
9-
strings.istarts_with(body.current_thread.text, "dear sir/madam")
10-
// expectation of time
11-
and regex.icontains(body.current_thread.text,
12-
'will be released|\b[1-4].[1-4]\b.{1,10}days?'
13-
)
7+
// expectation of time
8+
and regex.icontains(body.current_thread.text,
9+
'will be released|\b[1-4].[1-4]\b.{1,10}days?'
1410
)
11+
1512
// link is malicious
1613
and any(body.links,
1714
// key phrasing or nlu
@@ -42,16 +39,10 @@ source: |
4239
and length(recipients.cc) == 0
4340
and sender.email.email == recipients.to[0].email.email
4441
)
45-
// no recipient
42+
// the recipient is undisclosed or there are no recipients
4643
or (
47-
(
48-
length(recipients.to) == 0
49-
and length(recipients.bcc) == 0
50-
and length(recipients.cc) == 0
51-
)
52-
or any(recipients.to,
53-
strings.ilike(.display_name, "undisclosed?recipients")
54-
)
44+
length(recipients.to) == 0
45+
or all(recipients.to, .email.domain.valid == false)
5546
)
5647
)
5748
@@ -72,4 +63,4 @@ detection_methods:
7263
id: "1a6e4ced-4391-597f-9184-d4d1c57dedc7"
7364
og_id: "027cb65d-aee3-5f10-9555-20b719bbde42"
7465
testing_pr: 4498
75-
testing_sha: a68fc0d514655d0c378e43c8700abcf31b7af00e
66+
testing_sha: 9384da2d92eb56b85e45f5eee0fdc7c27fc77479

0 commit comments

Comments
 (0)