diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml index 0df96e25fe3..a5eb16d114e 100644 --- a/detection-rules/link_credential_phishing_voicemail_language.yml +++ b/detection-rules/link_credential_phishing_voicemail_language.yml @@ -25,7 +25,11 @@ source: | all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain and .href_url.domain.root_domain not in $org_domains - and .href_url.domain.root_domain not in ("unitelvoice.com", "googleapis.com", "dialmycalls.com") + and .href_url.domain.root_domain not in ( + "unitelvoice.com", + "googleapis.com", + "dialmycalls.com" + ) ) ), ( @@ -34,6 +38,20 @@ source: | ), ) and sender.email.domain.root_domain not in ("magicjack.com", "unitelvoice.com") + + // negating legit replies + and not ( + ( + strings.istarts_with(subject.subject, "RE:") + // out of office auto-reply + // the NLU model will handle these better natively soon + or strings.istarts_with(subject.subject, "Automatic reply:") + ) + and ( + length(headers.references) > 0 + or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) + ) and ( ( sender.email.domain.root_domain in $free_email_providers