diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml index 7d802543568..753dc4cb631 100644 --- a/detection-rules/attachment_docusign_image_suspicious_links.yml +++ b/detection-rules/attachment_docusign_image_suspicious_links.yml @@ -26,11 +26,13 @@ source: | ) ) and ( - profile.by_sender().prevalence in ("new", "outlier") + ( + not profile.by_sender().solicited + and profile.by_sender().prevalence in ("new", "outlier") + ) or ( profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives - ) ) attack_types: