[Shared Samples] [PR #4319] modified rule: PR# 4319 - Brand impersonation: Robinhood

Author: github-actions[bot]

detection-rules/4319_brand_impersonation_robinhood.yml

@@ -67,11 +67,20 @@ source: |
       )
       or length(headers.references) == 0
     )
+    and (
+      (
+        profile.by_sender().prevalence != "common"
+        and not profile.by_sender().solicited
+      )
+    )
     // negate newsletters and webinars
     and not any(ml.nlu_classifier(body.current_thread.text).topics,
                 .name in ("Newsletters and Digests", "Events and Webinars")
                 and .confidence == "high"
     )
+    and not any(ml.nlu_classifier(body.current_thread.text).intents,
+                .name == "benign" and .confidence == "high"
+    )
     and not (
       sender.email.domain.root_domain in (
         "robinhood.com",
@@ -83,6 +92,14 @@ source: |
       and coalesce(headers.auth_summary.dmarc.pass, false)
     )
   )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
 
 attack_types:
   - "Credential Phishing"