[Test Rules] [PR #4586] modified rule: BEC: Tax document request

github-actions[bot] · github-actions[bot] · commit 4e95bdd6edd0 · 2026-06-05T22:14:25.000Z
diff --git a/detection-rules/4586_tax_w2_impersonation.yml b/detection-rules/4586_tax_w2_impersonation.yml
@@ -4,7 +4,6 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  and length(body.current_thread.text) < 500
   and sender.email.local_part in~ (
     "contact",
     "no-reply",
@@ -35,10 +34,17 @@ source: |
   )
   // body text containing variations of "W2"
   and (
-    strings.icontains(body.current_thread.text, "w2")
-    or strings.icontains(body.current_thread.text, "W-2")
-    or strings.icontains(body.current_thread.text, "Ẇ-2's")
-    or strings.icontains(body.current_thread.text, "wage")
+    (
+      strings.icontains(body.current_thread.text, "w2")
+      or strings.icontains(body.current_thread.text, "W-2")
+      or strings.icontains(body.current_thread.text, "Ẇ-2")
+      or strings.icontains(body.current_thread.text, "wage statements")
+    )
+    or (
+      length(headers.reply_to) > 0
+      and all(headers.reply_to, network.whois(.email.domain).days_old <= 60)
+      and strings.icontains(body.current_thread.text, "W-2")
+    )
   )
   and any(ml.nlu_classifier(body.current_thread.text).entities,
           .name == "request"
@@ -77,4 +83,4 @@ detection_methods:
 id: "63c3bc52-a276-5c6b-8f63-98e01313df92"
 og_id: "4834a45e-6d70-5ad9-9043-024eea995e95"
 testing_pr: 4586
-testing_sha: 9cba097822000f3e32017946d07980630b2e5bba
+testing_sha: 5e27ee8e6d3285b614045f6644ce7a5018f5858f
