[Test Rules] [PR #4276] modified rule: Brand impersonation: Microsoft with embedded logo and credential theft language

github-actions[bot] · github-actions[bot] · commit f575694778f5 · 2026-04-20T11:15:51.000Z
diff --git a/detection-rules/4276_impersonation_microsoft_credential_theft.yml b/detection-rules/4276_impersonation_microsoft_credential_theft.yml
@@ -122,14 +122,13 @@ source: |
                    strings.icontains(subject.subject, .display_text)
                    or .display_text == "Open"
             ),
-            .href_url.domain.root_domain == "mimecastprotect.com"
-            and (
-              any(.href_url.query_params_decoded["domain"], . == "sharepoint.com")
-              or (
-                any(.href_url.query_params_decoded["domain"],
+            .href_url.domain.root_domain in (
+              "mimecastprotect.com",
+              "mimecast.com"
+            )
+            and any(.href_url.query_params_decoded["domain"],
                     strings.parse_domain(.).tld == "ms"
-                )
-              )
+                    or strings.parse_domain(.).root_domain == "sharepoint.com"
             )
     )
   )
@@ -156,4 +155,4 @@ detection_methods:
 id: "a7baaf42-c489-59b7-bd34-8deaef1c3d6d"
 og_id: "3ee9ef3d-8ec4-5df0-a8a2-5c6d037eb17a"
 testing_pr: 4276
-testing_sha: 26bfeb8a95c298edde3d71cb77dfefc566d060ee
+testing_sha: cd951f0dbe235766ea70bf66f61211986a3aefd1
