diff --git a/detection-rules/recipients_undisclosed_compauth_check.yml b/detection-rules/recipients_undisclosed_compauth_check.yml index bf7b2ffbd88..b09805eb138 100644 --- a/detection-rules/recipients_undisclosed_compauth_check.yml +++ b/detection-rules/recipients_undisclosed_compauth_check.yml @@ -27,6 +27,25 @@ source: | ) ) ) + and ( + profile.by_sender().prevalence in ("new", "outlier") + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) detection_methods: - "Content analysis" - "Computer Vision"