From 37b59d7530d095c09ed9f1d0d3233b68ddf8c478 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 31 Oct 2023 10:21:32 -0400 Subject: [PATCH] Update impersonation_human_resources.yml (#890) --- detection-rules/impersonation_human_resources.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml index dde8c198b23..afa449157b2 100644 --- a/detection-rules/impersonation_human_resources.yml +++ b/detection-rules/impersonation_human_resources.yml @@ -8,9 +8,8 @@ source: | and regex.icontains(sender.display_name, '(\bh\W?r\W?\b|human resources|hr depart(ment)?|employee relations)' ) - and (length(body.links) > 0 or length(attachments) > 0) - - // Request and Urgency + and (0 < length(body.links) < 10 or length(attachments) > 0) + // Request and Urgency and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request") and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency") and ( @@ -24,7 +23,6 @@ source: | and not profile.by_sender().any_false_positives ) ) - // negate highly trusted sender domains unless they fail DMARC authentication and ( @@ -38,7 +36,6 @@ source: | ) or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) - attack_types: - "BEC/Fraud" - "Credential Phishing"