From 254c6cb884899bc450da1191a5f24d709f28eef4 Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Tue, 3 Oct 2023 14:01:54 -0700
Subject: [PATCH] Updating Rule: attachment_docusign_image_suspicious_links.yml
 (#761)

Co-authored-by: Sam Scholten <sam@sublimesecurity.com>
---
 ...chment_docusign_image_suspicious_links.yml | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml
index 514b82554c1..32fae6b6654 100644
--- a/detection-rules/attachment_docusign_image_suspicious_links.yml
+++ b/detection-rules/attachment_docusign_image_suspicious_links.yml
@@ -27,12 +27,23 @@ source: |
   )
   and (
     (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $sender_emails
+      (
+        sender.email.domain.root_domain in $free_email_providers
+        and sender.email.email not in $sender_emails
+      )
+      or (
+        sender.email.domain.root_domain not in $free_email_providers
+        and sender.email.domain.domain not in $sender_domains
+      )
     )
     or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $sender_domains
+      sender.email.email in $sender_emails
+      and any(distinct(headers.hops, .received_spf.verdict is not null),
+              regex.icontains(.received_spf.verdict, "fail|error")
+              or any(distinct(headers.hops, .authentication_results.dmarc is not null),
+                     strings.ilike(.authentication_results.dmarc, "*fail")
+              )
+      )
     )
   )
 attack_types: