Negate FP: link_credential_phishing_voicemail_language.yml

Negating automatic replies.

detection-rules/link_credential_phishing_voicemail_language.yml

@@ -25,7 +25,11 @@ source: |
       all(body.links,
           .href_url.domain.root_domain != sender.email.domain.root_domain
           and .href_url.domain.root_domain not in $org_domains
-          and .href_url.domain.root_domain not in ("unitelvoice.com", "googleapis.com", "dialmycalls.com")
+          and .href_url.domain.root_domain not in (
+            "unitelvoice.com",
+            "googleapis.com",
+            "dialmycalls.com"
+          )
       )
     ),
     (
@@ -34,6 +38,20 @@ source: |
     ),
   )
   and sender.email.domain.root_domain not in ("magicjack.com", "unitelvoice.com")
+  
+  // negating legit replies
+  and not (
+    (
+      strings.istarts_with(subject.subject, "RE:")
+      // out of office auto-reply
+      // the NLU model will handle these better natively soon
+      or strings.istarts_with(subject.subject, "Automatic reply:")
+    )
+    and (
+      length(headers.references) > 0
+      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+    )
+  )
   and (
     (
       sender.email.domain.root_domain in $free_email_providers