From e116d257a4a5998a208e64c191a51c798f96152d Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Mon, 18 Sep 2023 08:44:26 -0700
Subject: [PATCH] Updating rule: impersonation_amazon.yml (#795)

---
 detection-rules/impersonation_amazon.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml
index 0070ab55275..9ff86750df6 100644
--- a/detection-rules/impersonation_amazon.yml
+++ b/detection-rules/impersonation_amazon.yml
@@ -25,6 +25,11 @@ source: |
       and sender.email.domain.root_domain in $free_email_providers
     )
   )
+  // negate listservs
+  and not (
+      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
+      and strings.contains(sender.display_name, "via")
+  )
   and sender.email.domain.root_domain not in~ (
     'amazon.com',
     'amazon.com.au',