From 40e65686359c88006af815e8c0a1dbba4dabd370 Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Thu, 7 Sep 2023 19:50:52 -0700
Subject: [PATCH] Updating Rule: link_microsoft_low_reputation.yml (#759)

Co-authored-by: Sam Scholten <sam@sublimesecurity.com>
---
 detection-rules/link_microsoft_low_reputation.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml
index 31c5b22c5f9..3579bb944e5 100644
--- a/detection-rules/link_microsoft_low_reputation.yml
+++ b/detection-rules/link_microsoft_low_reputation.yml
@@ -15,6 +15,12 @@ source: |
 
             // mass mailer link, masks the actual URL
             .href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net")
+
+            // Google AMP redirect
+            or (
+            .href_url.domain.sld == "google"
+            and strings.starts_with(.href_url.path, "/amp/")
+            )
           )
 
           // exclude sources of potential FPs
@@ -114,7 +120,6 @@ source: |
       )
     )
   )
-  and sender.email.domain.root_domain not in $org_domains
   and sender.email.domain.root_domain not in (
     "bing.com",
     "microsoft.com",