Update link_credential_phishing_intent_and_other_indicators.yml

Falsely returns true if recipient is null. Adding a valid check
sublime-security · Sep 13, 2023 · c77b714 · c77b714
1 parent dec1558
commit c77b714
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml
@@ -279,7 +279,8 @@ source: |
           // this is common in link tracking, both for
           // benign marketing traffic but also attackers
           any(recipients.to,
-              strings.icontains(..href_url.url, .email.local_part)
+              .email.domain.valid
+              and strings.icontains(..href_url.url, .email.local_part)
               and strings.icontains(..href_url.url, .email.domain.domain)
           )
   )
@@ -290,12 +291,12 @@ source: |
   and (
     // freemail providers should never be sending this type of email
     sender.email.domain.domain in $free_email_providers
-
+  
     // if not freemail, it's suspicious if the sender's root domain
     // doesn't match any links in the body
     or all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
   )
-
+  
   // first-time sender
   and (
     (