[Shared Samples] [PR #4300] modified rule: PR# 4300 - Attachment: Callback scam file extension

Author: github-actions[bot]

detection-rules/4300_callback_scam_file_extension.yml

@@ -4,18 +4,24 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  and (body.current_thread.text is null or length(body.current_thread.text) < 500)
+  and length(body.current_thread.text) < 2000
   and any(attachments,
-          (.file_extension in~ ("ppt", "pptx"))
-          and (
-            any(file.explode(.),
-                any(ml.nlu_classifier(.scan.strings.raw).intents,
-                    .name == "callback_scam" and .confidence != "low"
-                )
-            )
+          .file_extension in~ ("ppt", "pptx")
+          and any(file.explode(.),
+                  any(ml.nlu_classifier(.scan.strings.raw).intents,
+                      .name == "callback_scam" and .confidence != "low"
+                  )
           )
   )
-  and not sender.email.domain.root_domain in $high_trust_sender_root_domains
+  and sender.email.domain.root_domain in $free_email_providers
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    coalesce(sender.email.domain.root_domain in $high_trust_sender_root_domains
+             and not headers.auth_summary.dmarc.pass,
+             false
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
 attack_types:
   - "Callback Phishing"
 tactics_and_techniques: