From c0eea2338daf386b8e491c2dce01d4278a8f6085 Mon Sep 17 00:00:00 2001
From: Josh Kamdjou <jkamdjou@gmail.com>
Date: Thu, 9 Nov 2023 11:35:52 -0500
Subject: [PATCH] Use attachments instead of message screenshot

---
 ...nk_credential_phishing_intent_and_other_indicators.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml
index d985200d56a..f72fc5eb6ae 100644
--- a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml
+++ b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml
@@ -304,10 +304,14 @@ source: |
         )
       ),
       // in case it's embedded in an image attachment
-      any(file.explode(beta.message_screenshot()),
-              any(ml.nlu_classifier(.scan.ocr.raw).intents,
+      // note: don't use message_screenshot() because it's not limited to current_thread
+      // and may FP
+      any(attachments, .file_type in $file_types_images
+          and any(file.explode(.),
+          any(ml.nlu_classifier(.scan.ocr.raw).intents,
                   .name == "cred_theft" and .confidence == "high"
               )
+          )
       )
     )
     or (