Update link_credential_phishing_voicemail_language.yml (#863)

sublime-security · Oct 18, 2023 · c270e4d · c270e4d
1 parent ff301af
commit c270e4d
Showing 1 changed file with 7 additions and 8 deletions.
diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml
@@ -10,8 +10,8 @@ source: |
   // voicemail related
   and (
     any([subject.subject, sender.display_name, ],
-        regex.icontains(., '(voice)\s?(mail|message|recording|call)|transcription')
-        or regex.contains(body.current_thread.text, '(voice)\s?(mail|message|recording|call)')
+        regex.icontains(., '(voice|audio)\s?(mail|message|recording|call)|transcription')
+        or regex.contains(body.current_thread.text, '(voice|audio)\s?(mail|message|recording|call)')
     )
   )
     and 2 of (
@@ -45,12 +45,10 @@ source: |
         )
       ),
     )
-    and (
-      sender.email.domain.root_domain not in ("magicjack.com", "unitelvoice.com", "voipinterface.net")
-      or not any(attachments, strings.starts_with(.content_type, "audio"))
-    )
-  
-    // negating legit replies
+    
+  // negating legit replies and legitimate audio file attachments and known voicemail senders
+  and sender.email.domain.root_domain not in ("magicjack.com", "unitelvoice.com", "voipinterface.net")
+  and not any(attachments, strings.starts_with(.content_type, "audio"))
     and not (
       (
         strings.istarts_with(subject.subject, "RE:")
@@ -71,6 +69,7 @@ source: |
       and not profile.by_sender().any_false_positives
     )
   )
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: