From 99274fa0a1b9195a6b7db8ab9234ce4c873f9db2 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Wed, 25 Oct 2023 15:40:41 -0400
Subject: [PATCH] Update link_credential_phishing_secure_message.yml (#879)

---
 detection-rules/link_credential_phishing_secure_message.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection-rules/link_credential_phishing_secure_message.yml b/detection-rules/link_credential_phishing_secure_message.yml
index 1960d5ee9e5..09618605c28 100644
--- a/detection-rules/link_credential_phishing_secure_message.yml
+++ b/detection-rules/link_credential_phishing_secure_message.yml
@@ -27,7 +27,7 @@ source: |
             .href_url.domain.root_domain != sender.email.domain.root_domain
     )
     // Negate known secure mailer(s)
-    and not all(body.links, .href_url.domain.root_domain in ("mimecast.com"))
+    and not all(body.links, .href_url.domain.root_domain in ("mimecast.com", "cisco.com"))
   )
   and (
     profile.by_sender().prevalence in ("new", "outlier")
@@ -36,6 +36,7 @@ source: |
       and not profile.by_sender().any_false_positives
     )
   )
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: