Update link_hidden_dir.yml

detection-rules/link_hidden_dir.yml

@@ -23,6 +23,14 @@ source: |
           or strings.icontains(.href_url.path, "/.zshrc/")
           or strings.icontains(.href_url.path, "/.profile/")
   )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
 tags:
  - "Attack surface reduction"
 attack_types: