From cc487d104cc05adb552a3961bb45565c0406fcd4 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Mon, 18 Sep 2023 16:47:11 -0400
Subject: [PATCH] Update impersonation_recipient_domain.yml

Changing recipient domain to use mailbox.email.domain.root_domain to negate instances where the recipient is the sender, and delivery is accomplished via BCC's.
---
 detection-rules/impersonation_recipient_domain.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/detection-rules/impersonation_recipient_domain.yml b/detection-rules/impersonation_recipient_domain.yml
index d02e2a84f81..38276311f64 100644
--- a/detection-rules/impersonation_recipient_domain.yml
+++ b/detection-rules/impersonation_recipient_domain.yml
@@ -15,8 +15,8 @@ source: |
           // custom domains only
           sender.email.domain.domain not in $free_email_providers
 
-          // recipient's domain is in the sender's display name
-          and strings.icontains(sender.display_name, .email.domain.root_domain)
+          // mailbox recipient's domain is in the sender's display name
+          and strings.icontains(sender.display_name, mailbox.email.domain.root_domain)
   )
   
   and not (