From b753314291d53c5611b335dbb9281323eefa93c4 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Mon, 23 Oct 2023 11:38:39 -0400
Subject: [PATCH] Update callback_phishing_nlu_body_or_attachments.yml (#872)

---
 .../callback_phishing_nlu_body_or_attachments.yml        | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
index 019994e3efc..6bb839e781f 100644
--- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml
+++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
@@ -10,8 +10,13 @@ source: |
     any(attachments,
         (.file_type in $file_types_images or .file_type == "pdf")
         and any(file.explode(.),
-                any(ml.nlu_classifier(.scan.ocr.raw).intents,
-                    .name == "callback_scam" and .confidence == "high"
+
+                // exclude images taken with mobile cameras
+                not any(.scan.exiftool.fields,
+                        .key == "Model" and strings.istarts_with(.value, "Iphone")
+                )
+                and any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                        .name == "callback_scam" and .confidence == "high"
                 )
         )
     )