[Test Rules] [PR #4378] modified rule: Link: Single character path with credential theft body and self sender behavior or invalid recipient

github-actions[bot] · github-actions[bot] · commit d666a313b5ad · 2026-04-23T17:07:35.000Z
diff --git a/detection-rules/4378_self_sender_cred_theft_short_path_link.yml b/detection-rules/4378_self_sender_cred_theft_short_path_link.yml
@@ -1,10 +1,10 @@
-name: "Link: Single character path with credential theft body and self sender behavior"
-description: "Detects messages sent to oneself containing links with single character paths and credential theft language, commonly used to bypass security filters and deliver malicious content."
+name: "Link: Single character path with credential theft body and self sender behavior or invalid recipient"
+description: "Message where the sender and recipient are the same or the recipient domain is invalid, contains a link with a single character path and no query parameters or fragments, and includes credential theft language."
 type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  // self sender
+  // self sender or invaild recipent domain
   and length(recipients.to) == 1
   and (
     sender.email.email == recipients.to[0].email.email
@@ -33,4 +33,4 @@ detection_methods:
 id: "d47242e9-cf63-5dea-8aba-fcd6c2226b71"
 og_id: "c97982e6-eaa2-53e3-ba8f-0dc4db55b936"
 testing_pr: 4378
-testing_sha: 59f582fb35011591b4ebd4d1aed2ad835752d616
+testing_sha: 5cdf4ccb8f79ce2981c046a3b286a2e63632fcc0
