From 1ecc57cfb41733e746256afb6d192c2194b4cdab Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Mon, 13 Nov 2023 21:05:12 -0500
Subject: [PATCH] Update link_quickbooks_image_lure_suspicious_link.yml (#950)

---
 .../link_quickbooks_image_lure_suspicious_link.yml          | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/detection-rules/link_quickbooks_image_lure_suspicious_link.yml b/detection-rules/link_quickbooks_image_lure_suspicious_link.yml
index 26254fee409..5cec3acdab7 100644
--- a/detection-rules/link_quickbooks_image_lure_suspicious_link.yml
+++ b/detection-rules/link_quickbooks_image_lure_suspicious_link.yml
@@ -17,11 +17,11 @@ source: |
       or body.current_thread.text is null
     )
     or (
-      length(body.current_thread.text) < 900
+      length(body.current_thread.text) < 1500
       // or body is most likely all warning banner (text contains the sender and common warning banner language)
       and (
         regex.icontains(body.current_thread.text,
-                        'caution|confidentiality notice|warning'
+                        'caution|confidentiality notice|warning|disclaimer'
         )
       )
     )
@@ -41,6 +41,7 @@ source: |
               "hubspotlinks.com",
               "mandrillapp.com",
               "sendgrid.net",
+              "naylorcampaigns.com",
               "rs6.net"
             )
           )
@@ -80,6 +81,7 @@ source: |
     )
     or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
+
   
 attack_types:
   - "Credential Phishing"