[Test Rules] [PR #4367] modified rule: Link: Cloud service with credential theft language

Author: github-actions[bot]

detection-rules/4367_link_credential_phishing_cloud_service.yml

@@ -26,6 +26,11 @@ source: |
     // check for SPF or DMARC passed
     and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
   )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and not (
+    sender.email.domain.root_domain in $high_trust_sender_root_domains
+    and coalesce(headers.auth_summary.dmarc.pass, false)
+  )
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
@@ -38,4 +43,4 @@ detection_methods:
 id: "a096a1cc-6777-55c3-92be-b45aa1b58513"
 og_id: "5f1395a6-e2ae-5175-ad29-5f35111219fd"
 testing_pr: 4367
-testing_sha: 7bd6db9f21f3ed6be98fc084b3baf4185550c36a
+testing_sha: d3a9bf4f1d63bffaa009b7e09c729bb7b690621e