[Test Rules] [PR #4611] modified rule: Link: Remittance payment request with suspicious indicators

github-actions[bot] · github-actions[bot] · commit fe8bd5bba829 · 2026-06-04T13:33:06.000Z
diff --git a/detection-rules/4611_link_remittance_suspicious.yml b/detection-rules/4611_link_remittance_suspicious.yml
@@ -6,7 +6,9 @@ source: |
   type.inbound
   and strings.icontains(body.plain.raw, "business days")
   and strings.icontains(body.plain.raw, "account")
-  and any(body.links, strings.icontains(.href_url.path, "remittance"))
+  and any(filter(body.links, .href_url.domain.root_domain not in $tranco_10k),
+          strings.icontains(.href_url.path, "remittance")
+  )
 attack_types:
   - "BEC/Fraud"
   - "Credential Phishing"
@@ -18,4 +20,4 @@ detection_methods:
 id: "06d21fb0-41f5-58c1-82cc-2a2660be213f"
 og_id: "10dde1bf-480e-589b-95a3-3f81b811b667"
 testing_pr: 4611
-testing_sha: 580e01e20708144c999417b840ea538b744464ea
+testing_sha: 987d225894e9eeda525053dd8c51758b999a179b
