[Shared Samples] [PR #4367] modified rule: PR# 4367 - Link: Cloud service with credential theft language

Author: github-actions[bot]

detection-rules/4367_link_credential_phishing_cloud_service.yml

@@ -20,7 +20,12 @@ source: |
   and all(body.links,
           .href_url.domain.root_domain != sender.email.domain.root_domain
   )
-
+  // negate legit cloud companies
+  and not (
+    sender.email.domain.root_domain in ("cloud-cme.com", "cloudcounting.online")
+    // check for SPF or DMARC passed
+    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
+  )
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: