diff --git a/detection-rules/attachment_html_attachment_login_page.yml b/detection-rules/attachment_html_attachment_login_page.yml
index 7a9db4db410..224a9996bff 100644
--- a/detection-rules/attachment_html_attachment_login_page.yml
+++ b/detection-rules/attachment_html_attachment_login_page.yml
@@ -44,7 +44,7 @@ source: |
)
)
)
- or
+ or
//Known phishing obfuscation
2 of (
// Enter password
@@ -53,14 +53,14 @@ source: |
"*Enter password*"
)
),
-
- // Forgotten my password
- any(.scan.strings.strings,
- strings.ilike(.,
+
+ // Forgotten my password
+ any(.scan.strings.strings,
+ strings.ilike(.,
"*Forgotten my password*"
)
),
-
+
// Sign in
any(.scan.strings.strings,
strings.ilike(., "*Sign in*")
@@ -69,6 +69,20 @@ source: |
)
)
+ and (
+ (
+ // exclude internal mailers where there is no SPF configured.
+ // if the sender's root domain is an org domain, we
+ // ensure there's no SPF failures to protect against spoofs.
+ // we use root_domain because it's typically subdomains that are misconfigured
+ sender.email.domain.root_domain in $org_domains
+ and not any(distinct(headers.hops, .received_spf.verdict is not null),
+ strings.ilike(.received_spf.verdict, "*fail")
+ )
+ )
+ or sender.email.domain.root_domain not in $org_domains
+ )
+
// negate highly trusted sender domains unless they fail DMARC authentication
and
(
@@ -83,6 +97,7 @@ source: |
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
+
and (
(
not profile.by_sender().solicited