[Shared Samples] [PR #4683] modified rule: PR# 4683 - Brand impersonation: Claude with newly registered domains

github-actions[bot] · github-actions[bot] · commit b8c72a4fa6e2 · 2026-06-16T22:57:16.000Z
diff --git a/detection-rules/4683_impersonation_claude_domain.yml b/detection-rules/4683_impersonation_claude_domain.yml
@@ -27,10 +27,6 @@ source: |
                        "(?:early.{0,20}claude|claude.{0,20}(?:early.access|ads))"
     )
   )
-  // and any(body.links,
-  //         strings.icontains(.href_url.domain.domain, 'claude-marketing-team.com')
-  //         or strings.icontains(.href_url.domain.domain, 'anthropic-ads.com')
-  // )
   // negate highly trusted sender domains unless they fail DMARC authentication
   and not (
     sender.email.domain.root_domain in $high_trust_sender_root_domains

Original file line number	Diff line number	Diff line change
`@@ -27,10 +27,6 @@ source: \|`
`27`	`27`	`"(?:early.{0,20}claude\|claude.{0,20}(?:early.access\|ads))"`
`28`	`28`	`)`
`29`	`29`	`)`
`30`		`- // and any(body.links,`
`31`		`- // strings.icontains(.href_url.domain.domain, 'claude-marketing-team.com')`
`32`		`- // or strings.icontains(.href_url.domain.domain, 'anthropic-ads.com')`
`33`		`- // )`
`34`	`30`	`// negate highly trusted sender domains unless they fail DMARC authentication`
`35`	`31`	`and not (`
`36`	`32`	`sender.email.domain.root_domain in $high_trust_sender_root_domains`