Sync from PR#2144

Create impersonation_schwab.yml by @morriscode
#2144
Source SHA de40d45
Triggered by @morriscode

detection-rules/impersonation_schwab.yml

@@ -26,36 +26,26 @@ source: |
   )
 
   // and the sender is not in org_domains or from charles shwab domains and passes auth
-  and (
-    (
-      (
-        sender.email.domain.root_domain in $org_domains
-        or sender.email.domain.root_domain in (
-          "schwab.com",
-          "aboutschwab.com.",
-          "schwabmoneywise.com"
-        )
-      )
-      and not headers.auth_summary.dmarc.pass
-    )
+  and not (
+    sender.email.domain.root_domain in $org_domains
     or (
-      sender.email.domain.root_domain not in $org_domains
-      and sender.email.domain.root_domain not in (
+      sender.email.domain.root_domain in (
         "schwab.com",
         "aboutschwab.com.",
         "schwabmoneywise.com"
       )
+      and headers.auth_summary.dmarc.pass
     )
   )
-  // and the sender is not from high trust sender root domains
-  and (
-    (
-      sender.email.domain.root_domain in $high_trust_sender_root_domains
-      and not headers.auth_summary.dmarc.pass
+    // and the sender is not from high trust sender root domains
+    and (
+      (
+        sender.email.domain.root_domain in $high_trust_sender_root_domains
+        and not headers.auth_summary.dmarc.pass
+      )
+      or sender.email.domain.root_domain not in $high_trust_sender_root_domains
     )
-    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
-  )
-  and not profile.by_sender().solicited
+    and not profile.by_sender().solicited
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
@@ -67,4 +57,4 @@ detection_methods:
   - "Sender analysis"
 id: "7abde595-bd69-5b79-8031-2c5a12b1767e"
 testing_pr: 2144
-testing_sha: cd90828b69a82928a91ef98eeebb0442d480ba11
+testing_sha: de40d455580091824df1a9daf051dbfa2584ca0d