diff --git a/insights/links/recipient_address_in_link.yml b/insights/links/recipient_address_in_link.yml index b81fd2924d7..7794c535904 100644 --- a/insights/links/recipient_address_in_link.yml +++ b/insights/links/recipient_address_in_link.yml @@ -1,7 +1,7 @@ name: "Recipient email in link" type: "query" source: | - distinct(map(filter(body.links, any(recipients.to, strings.icontains(..href_url.url, .email.email))), .href_url.url), .) + distinct(map(filter(body.links, any(recipients.to, strings.icontains(..href_url.url, .email.email) and any(recipients.to, .email.domain.valid))), .href_url.url), .) severity: "low" tags: - "Suspicious links"