From 822924b703455ea7b259c63fe27699716f44bf40 Mon Sep 17 00:00:00 2001 From: Josh Kamdjou Date: Wed, 20 Sep 2023 08:35:43 -0700 Subject: [PATCH] Exclude automatic out of office replies (#801) --- .../body_business_email_compromise_new_sender.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml index 1c509c258c0..16fb9df2d5f 100644 --- a/detection-rules/body_business_email_compromise_new_sender.yml +++ b/detection-rules/body_business_email_compromise_new_sender.yml @@ -10,7 +10,12 @@ source: | ) // negating legit replies and not ( - strings.istarts_with(subject.subject, "RE:") + ( + strings.istarts_with(subject.subject, "RE:") + // out of office auto-reply + // the NLU model will handle these better natively soon + or strings.istarts_with(subject.subject, "Automatic reply:") + ) and ( length(headers.references) > 0 or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))