Update link_deactivated_bitly.yml (#883)

sublime-security · Oct 26, 2023 · d3b7f6b · d3b7f6b
1 parent aaffe1b
commit d3b7f6b
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/detection-rules/link_deactivated_bitly.yml b/detection-rules/link_deactivated_bitly.yml
@@ -1,6 +1,6 @@
-name: "Link: Deactivated bit.ly link"
+name: "Link: Flagged bit.ly link"
 description: |
-  Shortened link is blocked by bit.ly. Indicator of malicious email.
+  Shortened link is blocked or gated by bit.ly. Indicator of malicious email.
 type: "rule"
 severity: "medium"
 source: |
@@ -10,8 +10,8 @@ source: |
           .href_url.domain.root_domain == "bit.ly"
           // link doesn't forward through
           and beta.linkanalysis(.).effective_url.domain.domain == "bit.ly"
-          // blocked by bit.ly
-          and strings.ilike(beta.linkanalysis(.).final_dom.display_text, "*link*blocked*")
+          // blocked or gated by bit.ly
+          and strings.ilike(beta.linkanalysis(.).final_dom.display_text, "*link*blocked*", "*flagged*by*")
   )
 attack_types:
   - "Credential Phishing"