From 4563265c6137c0aa3c8a5a9c010f95c8954cee2f Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Mon, 25 Nov 2024 15:06:21 +0000
Subject: [PATCH] Sync from PR#2144

Create impersonation_schwab.yml by @morriscode
https://github.com/sublime-security/sublime-rules/pull/2144
Source SHA de40d455580091824df1a9daf051dbfa2584ca0d
Triggered by @morriscode
---
 detection-rules/impersonation_schwab.yml | 36 +++++++++---------------
 1 file changed, 13 insertions(+), 23 deletions(-)

diff --git a/detection-rules/impersonation_schwab.yml b/detection-rules/impersonation_schwab.yml
index 1f0c06f2132..6971ae3bd9f 100644
--- a/detection-rules/impersonation_schwab.yml
+++ b/detection-rules/impersonation_schwab.yml
@@ -26,36 +26,26 @@ source: |
   )
 
   // and the sender is not in org_domains or from charles shwab domains and passes auth
-  and (
-    (
-      (
-        sender.email.domain.root_domain in $org_domains
-        or sender.email.domain.root_domain in (
-          "schwab.com",
-          "aboutschwab.com.",
-          "schwabmoneywise.com"
-        )
-      )
-      and not headers.auth_summary.dmarc.pass
-    )
+  and not (
+    sender.email.domain.root_domain in $org_domains
     or (
-      sender.email.domain.root_domain not in $org_domains
-      and sender.email.domain.root_domain not in (
+      sender.email.domain.root_domain in (
         "schwab.com",
         "aboutschwab.com.",
         "schwabmoneywise.com"
       )
+      and headers.auth_summary.dmarc.pass
     )
   )
-  // and the sender is not from high trust sender root domains
-  and (
-    (
-      sender.email.domain.root_domain in $high_trust_sender_root_domains
-      and not headers.auth_summary.dmarc.pass
+    // and the sender is not from high trust sender root domains
+    and (
+      (
+        sender.email.domain.root_domain in $high_trust_sender_root_domains
+        and not headers.auth_summary.dmarc.pass
+      )
+      or sender.email.domain.root_domain not in $high_trust_sender_root_domains
     )
-    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
-  )
-  and not profile.by_sender().solicited
+    and not profile.by_sender().solicited
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
@@ -67,4 +57,4 @@ detection_methods:
   - "Sender analysis"
 id: "7abde595-bd69-5b79-8031-2c5a12b1767e"
 testing_pr: 2144
-testing_sha: cd90828b69a82928a91ef98eeebb0442d480ba11
+testing_sha: de40d455580091824df1a9daf051dbfa2584ca0d