From fe1588ea0d8d2227b21f4a8bb32200381faaac84 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Tue, 5 Dec 2023 11:17:43 -0500
Subject: [PATCH] Revert "Changes to Docusign rule to reduce false positives."
 (#1085)

---
 .../credential_phishing_docusign_embedded_image_lure.yml       | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/detection-rules/credential_phishing_docusign_embedded_image_lure.yml b/detection-rules/credential_phishing_docusign_embedded_image_lure.yml
index 651b6a8242d..f6efc9339cc 100644
--- a/detection-rules/credential_phishing_docusign_embedded_image_lure.yml
+++ b/detection-rules/credential_phishing_docusign_embedded_image_lure.yml
@@ -5,8 +5,7 @@ severity: "high"
 source: |
   type.inbound
   and length(attachments) <= 1
-  and length(body.links) > 0
-  and all(body.links,
+  and any(body.links,
           not strings.ilike(.href_url.domain.root_domain, "docusign.*")
   )
   and (