Removing FTS//Unsolicited Comments

detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml

@@ -17,7 +17,6 @@ source: |
                   )
           )
   )
-  // unsolicited
   and (
     not profile.by_sender().solicited
     or (

detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml

@@ -18,7 +18,6 @@ source: |
                   )
           )
   )
-  // unsolicited
   and (
     not profile.by_sender().solicited
     or (

detection-rules/attachment_qr_code_suspicious_components.yml

@@ -55,8 +55,6 @@ source: |
             )
           )
   )
-
-  // first time sender
   and (
             (
                 sender.email.domain.root_domain in $free_email_providers

detection-rules/attachment_svg_embedded_js.yml

@@ -21,8 +21,6 @@ source: |
                   and any(.scan.strings.strings, strings.icontains(., "CDATA"))
           )
   )
-
-  // unsolicited
   and (
     not profile.by_sender().solicited
     or (

detection-rules/body_business_email_compromise_unsolicited.yml

@@ -42,8 +42,6 @@ source: |
       )
     )
   )
-  
-  // unsolicited
   and (
     not profile.by_sender().solicited
     or (

detection-rules/impersonation_amazon_suspicious_text.yml

@@ -33,7 +33,6 @@ source: |
             )
           )
   )
-  // unsolicited
   and (
     not profile.by_sender().solicited
     or (

detection-rules/impersonation_docusign.yml

@@ -51,7 +51,6 @@ source: |
     )
     and strings.contains(sender.display_name, "via")
   )
-  // unsolicited
   and (
     not profile.by_sender().solicited
     or (

detection-rules/impersonation_employee_subject.yml

@@ -15,7 +15,6 @@ source: |
           any(ml.nlu_classifier(.).intents, .name == "bec" and .confidence in ("medium", "high"))
   )
 
-  // unsolicited
   and (
     not profile.by_sender().solicited
     or (

detection-rules/impersonation_finra.yml

@@ -12,8 +12,6 @@ source: |
     or strings.ilevenshtein(sender.email.domain.sld, 'finra') <= 1
   )
   and sender.email.domain.root_domain not in~ ('finra.org', 'finrax.com')
-
-  // unsolicited
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/impersonation_paypal.yml

@@ -52,8 +52,6 @@ source: |
     'paypal-prepaid.com',
     'xoom.com'
   )
-
-  // unsolicited
   and (
     not profile.by_sender().solicited
     or (

detection-rules/impersonation_sublime_security.yml

@@ -12,7 +12,6 @@ source: |
     or strings.ilevenshtein(sender.email.domain.domain, 'sublimesecurity.com') <= 2
   )
   and sender.email.domain.domain != 'sublimesecurity.com'
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/impersonation_vip_urgent_request.yml

@@ -15,7 +15,6 @@ source: |
       and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
     )
   )
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/link_credential_phishing_intent_and_other_indicators.yml

@@ -296,8 +296,6 @@ source: |
     // doesn't match any links in the body
     or all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
   )
-  
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/link_credential_phishing_secure_message.yml

@@ -29,8 +29,6 @@ source: |
     // Negate known secure mailer(s)
     and not all(body.links, .href_url.domain.root_domain in ("mimecast.com"))
   )
-  
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml

@@ -44,7 +44,6 @@ source: |
     any(recipients.to, strings.icontains(subject.subject, .email.email)),
   )
 
-  // unsolicited
   and (
     not profile.by_sender().solicited
     or (

detection-rules/link_download_disk_image_in_encrypted_zip.yml

@@ -24,7 +24,6 @@ source: |
               )
           )
   )
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/link_download_suspicious_file.yml

@@ -33,7 +33,6 @@ source: |
               )
           )
   )
-  // unsolicited
   and (
     not profile.by_sender().solicited
     or (

detection-rules/link_fake_fax_low_reputation.yml

@@ -43,8 +43,6 @@ source: |
       )
     )
   )
-
-  // first time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/link_google_apps_script_macro.yml

@@ -11,7 +11,6 @@ source: |
   and any(body.links,
           .href_url.domain.domain == "script.google.com" and strings.ilike(.href_url.path, "/macros*")
   )
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/link_html_smuggling_with_adobe_branding.yml

@@ -25,7 +25,6 @@ source: |
               )
           )
   )
-  // unsolicited
   and (
     not profile.by_sender().solicited
     or (

detection-rules/link_html_smuggling_with_google_drive_branding.yml

@@ -30,7 +30,6 @@ source: |
               )
           )
   )
-  // Unsolicited
   and (
     not profile.by_sender().solicited
     or (

detection-rules/link_invoice_fake_customer_service_freemail_sender.yml

@@ -20,7 +20,6 @@ source: |
             )
           )
   )
-  // First time sender exclusions are in place to avoid legitimate messages from known freemail senders.
   and sender.email.email not in $sender_emails
 attack_types:
   - "BEC/Fraud"

detection-rules/link_ipfs_phishing.yml

@@ -31,7 +31,6 @@ source: |
   // adding negation block for legitimate domains with ipfs in their name
   and not sender.email.domain.domain in ("shipfsl.com")
 
-  // unsolicited
   and (
     not profile.by_sender().solicited
     or (

detection-rules/link_login_or_captcha.yml

@@ -28,8 +28,6 @@ source: |
 
   // exclude FP prone senders
   and sender.email.domain.root_domain not in ("sharepointonline.com")
-
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/link_microsoft_device_code_phish.yml

@@ -32,8 +32,6 @@ source: |
     // A nine character string containing a combination of letters and characters
     regex.icontains(body.html.display_text, '[\W]([A-Z0-9]{9})[\W]')
   )
-
-  // Unsolicited
   and (
     not profile.by_sender().solicited
     or (

detection-rules/link_microsoft_impersonation_using_hosted_png.yml

@@ -32,8 +32,6 @@ source: |
 
   // org domain in the subject of the message
   and any($org_domains, strings.icontains(subject.subject, .))
-
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/link_notion_file_share.yml

@@ -43,8 +43,6 @@ source: |
           )
   )
   and sender.email.domain.domain != 'mail.notion.so'
-
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/link_qr_code_suspicious_language_fts.yml

@@ -44,7 +44,6 @@ source: |
     )
   )
   
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/link_suspicious_language_undisclosed_recipients.yml

@@ -37,7 +37,6 @@ source: |
   // subject is in all caps
   and regex.match(subject.subject, "[A-Z ]+")
   
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/mass_campaign_recipient_address_new_sender.yml

@@ -15,8 +15,6 @@ source: |
   // exclude To: Undisclosed recipients:;
   // since we won't have a valid recipient email
   and any(recipients.to, .email.domain.valid == true)
-
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/spam_campaign_excessive_display_text_with_keywords.yml

@@ -10,7 +10,6 @@ source: |
   and length(body.links) > 0
   and any(body.links, length(.display_text) > 3000)
   and any(body.links, regex.icontains(.display_text, '(\bPassword:)', 'Hi.{0,5}Welcome\b'))
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/spam_new_domain_emojis.yml

@@ -21,8 +21,6 @@ source: |
                       '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
     )
   )
-
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/spam_url_shortener_emojis.yml

@@ -24,8 +24,6 @@ source: |
                       '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
     )
   )
-
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (

detection-rules/vip_impersonation_attack_surface_reduction.yml

@@ -21,7 +21,6 @@ source: |
     or sender.display_name != mailbox.display_name
   )
 
-  // first-time sender
   and (
     profile.by_sender().prevalence in ("new", "outlier")
     or (
@@ -30,7 +29,6 @@ source: |
     )
   )
 
-  // unsolicited
   and (
     not profile.by_sender().solicited
     or (