From 5e3e9a5022bf388b9b0259d8dd013e9fd493527f Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Fri, 1 Sep 2023 11:54:58 -0700
Subject: [PATCH] Updating Rule: headers_voicemail_sendgrid.yml

Adding NLU requirement.
---
 detection-rules/headers_voicemail_sendgrid.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/headers_voicemail_sendgrid.yml b/detection-rules/headers_voicemail_sendgrid.yml
index 149daddbc12..48932c3504b 100644
--- a/detection-rules/headers_voicemail_sendgrid.yml
+++ b/detection-rules/headers_voicemail_sendgrid.yml
@@ -9,6 +9,7 @@ source: |
   type.inbound
   and headers.return_path.domain.domain == 'sendgrid.net'
   and strings.ilike(subject.subject, '*voicemail*', '*voice message*')
+  and any(ml.nlu_classifier(body.current_thread.text).intents, .name not in ("benign", "unknown"))
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: