From d3b7f6bc9629a4da734728f6f70e4a4f45d98879 Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Thu, 26 Oct 2023 09:24:36 -0700
Subject: [PATCH] Update link_deactivated_bitly.yml (#883)

---
 detection-rules/link_deactivated_bitly.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/detection-rules/link_deactivated_bitly.yml b/detection-rules/link_deactivated_bitly.yml
index b0467b973d4..cb78681c762 100644
--- a/detection-rules/link_deactivated_bitly.yml
+++ b/detection-rules/link_deactivated_bitly.yml
@@ -1,6 +1,6 @@
-name: "Link: Deactivated bit.ly link"
+name: "Link: Flagged bit.ly link"
 description: |
-  Shortened link is blocked by bit.ly. Indicator of malicious email.
+  Shortened link is blocked or gated by bit.ly. Indicator of malicious email.
 type: "rule"
 severity: "medium"
 source: |
@@ -10,8 +10,8 @@ source: |
           .href_url.domain.root_domain == "bit.ly"
           // link doesn't forward through
           and beta.linkanalysis(.).effective_url.domain.domain == "bit.ly"
-          // blocked by bit.ly
-          and strings.ilike(beta.linkanalysis(.).final_dom.display_text, "*link*blocked*")
+          // blocked or gated by bit.ly
+          and strings.ilike(beta.linkanalysis(.).final_dom.display_text, "*link*blocked*", "*flagged*by*")
   )
 attack_types:
   - "Credential Phishing"