[Shared Samples] [PR #4586] modified rule: PR# 4586 - BEC: Tax document request

Author: github-actions[bot]

detection-rules/4586_tax_w2_impersonation.yml

@@ -49,14 +49,13 @@ source: |
   and any(ml.nlu_classifier(body.current_thread.text).entities,
           .name == "request"
   )
-  and not (
-    strings.ilike(sender.display_name,
-                  "*Excel*",
-                  "*SharePoint*",
-                  "*PowerPoint*",
-                  "*OneNote*",
-                  "*Microsoft*"
-    )
+  and sender.email.domain.root_domain not in (
+    "excel.com",
+    "sharepoint.com",
+    "sharepointonline.com",
+    "powerpoint.com",
+    "onenote.com",
+    "microsoft.com"
   )
   and not any(ml.nlu_classifier(body.current_thread.text).intents,
               .name == "benign" and .confidence == "high"