From 710059e23eedfce97604a0706bebf2a311d32afd Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Mon, 25 Sep 2023 12:09:30 -0400
Subject: [PATCH] FP Update: Update
 attachment_html_recipient_in_javascript_identifiers.yml

Adding negation for Cisco Secure Email Encryption
---
 .../attachment_html_recipient_in_javascript_identifiers.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml b/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml
index 92325b3de87..557e6b5eded 100644
--- a/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml
+++ b/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml
@@ -30,6 +30,12 @@ source: |
                   )
           )
   )
+  
+  // Negating Cisco Secure Email Encryption
+  and (
+    length(body.links) > 0
+    and not all(body.links, strings.ilike(.href_url.domain.domain, "res.cisco.com"))
+  )
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: