Update impersonation_human_resources.yml (#890)

sublime-security · Oct 31, 2023 · 37b59d7 · 37b59d7
1 parent d708c1d
commit 37b59d7
Showing 1 changed file with 2 additions and 5 deletions.
diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml
@@ -8,9 +8,8 @@ source: |
   and regex.icontains(sender.display_name,
                       '(\bh\W?r\W?\b|human resources|hr depart(ment)?|employee relations)'
   )
-  and (length(body.links) > 0 or length(attachments) > 0)
-  
-  // Request and Urgency 
+  and  (0 < length(body.links) < 10 or length(attachments) > 0)
+  // Request and Urgency
   and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
   and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
   and (
@@ -24,7 +23,6 @@ source: |
       and not profile.by_sender().any_false_positives
     )
   )
-
   // negate highly trusted sender domains unless they fail DMARC authentication
   and
   (
@@ -38,7 +36,6 @@ source: |
     )
     or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
-
 attack_types:
   - "BEC/Fraud"
   - "Credential Phishing"