[Test Rules] [PR #4367] modified rule: Link: Cloud service with credential theft language

github-actions[bot] · github-actions[bot] · commit 5ae3df0d5f4e · 2026-04-22T18:13:04.000Z
diff --git a/detection-rules/4367_link_credential_phishing_cloud_service.yml b/detection-rules/4367_link_credential_phishing_cloud_service.yml
@@ -20,7 +20,12 @@ source: |
   and all(body.links,
           .href_url.domain.root_domain != sender.email.domain.root_domain
   )
-
+  // negate legit cloud companies
+  and not (
+    sender.email.domain.root_domain in ("cloud-cme.com", "cloudcounting.online")
+    // check for SPF or DMARC passed
+    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
+  )
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
@@ -33,4 +38,4 @@ detection_methods:
 id: "a096a1cc-6777-55c3-92be-b45aa1b58513"
 og_id: "5f1395a6-e2ae-5175-ad29-5f35111219fd"
 testing_pr: 4367
-testing_sha: 57bb943caa5ef2f01f910e5f009ba16eeccc6c66
+testing_sha: 7bd6db9f21f3ed6be98fc084b3baf4185550c36a
