Update headers_replyto_new_domain_nlu_request.yml

Removing prevalence
sublime-security · Nov 9, 2023 · dd96d5c · dd96d5c
1 parent b6293df
commit dd96d5c
Showing 1 changed file with 2 additions and 10 deletions.
diff --git a/detection-rules/headers_replyto_new_domain_nlu_request.yml b/detection-rules/headers_replyto_new_domain_nlu_request.yml
@@ -9,28 +9,20 @@ source: |
   and any(headers.reply_to,
           // mismatched reply-to and sender domain
           .email.domain.root_domain != sender.email.domain.root_domain
-
           // newly registered reply-to domain
           and beta.whois(.email.domain).days_old <= 30
   )
-
   // request is being made
   and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
-
   // there's financial/urgency OR a tag of medium/high confidence
   and (
     any(ml.nlu_classifier(body.current_thread.text).entities, .name in ("financial", "urgency"))
     or any(ml.nlu_classifier(body.current_thread.text).tags,
            .name is not null and .confidence in ("medium", "high")
     )
   )
-  and (
-    profile.by_sender().prevalence in ("new", "outlier")
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
-  )
+  and not profile.by_sender().any_false_positives
+  
 attack_types:
   - "BEC/Fraud"
 tactics_and_techniques: