From 6c1b6366137cd79fce7c5a9eff5890a4d81edffb Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Wed, 18 Dec 2024 08:58:58 -0600
Subject: [PATCH 1/2] Update link_microsoft_low_reputation.yml

resolve FPs by using imatch which is anchored to the start
---
 detection-rules/link_microsoft_low_reputation.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml
index 95c91a63b02..8b158586399 100644
--- a/detection-rules/link_microsoft_low_reputation.yml
+++ b/detection-rules/link_microsoft_low_reputation.yml
@@ -71,7 +71,7 @@ source: |
        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
    )
    or strings.istarts_with(strings.replace_confusables(body.current_thread.text), "Microsoft ")
-   or regex.icontains(strings.replace_confusables(body.current_thread.text), '(?:^|\n)[o0O]ff[il1]ce\b')
+   or regex.imatch(strings.replace_confusables(body.current_thread.text), '(?:\n)*[o0O]ff[il1]ce\b.*')
    or any(ml.logo_detect(beta.message_screenshot()).brands,
           strings.starts_with(.name, "Microsoft")
    )

From 01e3dbdcf63a204b6aeec273c898cb929c025530 Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Wed, 18 Dec 2024 09:04:17 -0600
Subject: [PATCH 2/2] Update link_microsoft_low_reputation.yml

---
 detection-rules/link_microsoft_low_reputation.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml
index 8b158586399..67b83e08151 100644
--- a/detection-rules/link_microsoft_low_reputation.yml
+++ b/detection-rules/link_microsoft_low_reputation.yml
@@ -71,7 +71,7 @@ source: |
        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
    )
    or strings.istarts_with(strings.replace_confusables(body.current_thread.text), "Microsoft ")
-   or regex.imatch(strings.replace_confusables(body.current_thread.text), '(?:\n)*[o0O]ff[il1]ce\b.*')
+   or regex.imatch(strings.replace_confusables(body.current_thread.text), '[\n\s]*[o0O]ff[il1]ce\b.*')
    or any(ml.logo_detect(beta.message_screenshot()).brands,
           strings.starts_with(.name, "Microsoft")
    )