From 7d48087a34a1ba1b2d0b58cf6f8ac13b200f4045 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Tue, 7 Nov 2023 16:57:32 -0500
Subject: [PATCH] Update impersonation_employee_payroll_fraud.yml (#934)

---
 detection-rules/impersonation_employee_payroll_fraud.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/detection-rules/impersonation_employee_payroll_fraud.yml b/detection-rules/impersonation_employee_payroll_fraud.yml
index 108b809ed80..a9f09128b93 100644
--- a/detection-rules/impersonation_employee_payroll_fraud.yml
+++ b/detection-rules/impersonation_employee_payroll_fraud.yml
@@ -15,13 +15,13 @@ source: |
   )
   and 1 of (
     regex.icontains(body.plain.raw,
-                    '(pay\s?(roll|check|date|day)|direct deposit|\bdd\b|gehalt|salario|salary)'
+                    '(pay\s?(roll|check|date|day)|direct deposit|ACH|\bdd\b|gehalt|salario|salary)'
     ),
     regex.icontains(body.html.inner_text,
-                    '(pay\s?(roll|check|date|day)|direct deposit|\bdd\b|gehalt|salario|salary)'
+                    '(pay\s?(roll|check|date|day)|direct deposit|ACH|\bdd\b|gehalt|salario|salary)'
     ),
     regex.icontains(subject.subject,
-                    '(pay\s?(roll|check|date|day)|direct deposit|\bdd\b|gehalt|salario|salary)'
+                    '(pay\s?(roll|check|date|day)|direct deposit|ACH|\bdd\b|gehalt|salario|salary)'
     )
   )
   and (
@@ -31,6 +31,7 @@ source: |
       and not profile.by_sender().any_false_positives
     )
   )
+
 attack_types:
   - "BEC/Fraud"
 tactics_and_techniques: