Update link_google_open_redirect_with_suspicious_indicators.yml (#749)

sublime-security · Sep 19, 2023 · 7bd862d · 7bd862d
1 parent 4788c8b
commit 7bd862d
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml b/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml
@@ -6,11 +6,13 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  // All attachments are images
-  and length(attachments) > 0
-  and all(attachments, .file_type in $file_types_images)
+  // All attachments are images or 0 attachments
+  and (
+    (length(attachments) > 0 and all(attachments, .file_type in $file_types_images))
+    or length(attachments) == 0
+  )
   and sender.email.domain.root_domain not in $org_domains
-
+  
   // not a reply
   and (
     length(headers.references) == 0
@@ -52,15 +54,15 @@ source: |
     (
       any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
     ),
-
+  
     // White font is found in html raw
     (
       length(body.html.display_text) < 500
       and regex.icontains(body.html.raw,
                           '<div style="color: #fff(fff)?.[^<]+<\/div><\/div><\/body><\/html>$'
       )
     )
-
+  
     // domains using .app matching this pattern observed abusing google's redirect
     or regex.icontains(sender.email.domain.domain, '[a-z]{3,}\.\d{5,}[^\.]+\.app$')
   )