From b60798ad4dd37fedc16d5fca1ead8e5b42371611 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Tue, 7 Nov 2023 13:36:06 -0500
Subject: [PATCH] Update attachment_callback_phish_with_pdf.yml (#927)

---
 detection-rules/attachment_callback_phish_with_pdf.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/attachment_callback_phish_with_pdf.yml b/detection-rules/attachment_callback_phish_with_pdf.yml
index 5a6e88d96d7..e6d10a35549 100644
--- a/detection-rules/attachment_callback_phish_with_pdf.yml
+++ b/detection-rules/attachment_callback_phish_with_pdf.yml
@@ -45,7 +45,7 @@ source: |
                     strings.icontains(.scan.ocr.raw, "cancel"),
                     strings.icontains(.scan.ocr.raw, "renew"),
                     strings.icontains(.scan.ocr.raw, "refund"),
-                    regex.icontains(.scan.ocr.raw, '\+\d')
+                    regex.icontains(.scan.ocr.raw, '(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})')
                   )
           )