From f6ef607e1659b7957561ba22b7f00127c63de349 Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Fri, 27 Dec 2024 12:56:53 -0600
Subject: [PATCH] Update link_hidden_dir.yml

---
 detection-rules/link_hidden_dir.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/detection-rules/link_hidden_dir.yml b/detection-rules/link_hidden_dir.yml
index 08507a76f6d..1a60b99f5b5 100644
--- a/detection-rules/link_hidden_dir.yml
+++ b/detection-rules/link_hidden_dir.yml
@@ -23,6 +23,14 @@ source: |
           or strings.icontains(.href_url.path, "/.zshrc/")
           or strings.icontains(.href_url.path, "/.profile/")
   )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
 tags:
  - "Attack surface reduction"
 attack_types: