From 49031063b654a0e8397fb4a2f93a89dc0b475fa3 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Wed, 25 Oct 2023 09:40:54 -0400
Subject: [PATCH 1/2] Update callback_phishing_nlu_body_or_attachments.yml

Changing exiftools to check for "Model" this is present whenever the image is taken from a mobile device.
---
 .../callback_phishing_nlu_body_or_attachments.yml          | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
index 6bb839e781f..bd850896a51 100644
--- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml
+++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
@@ -10,11 +10,9 @@ source: |
     any(attachments,
         (.file_type in $file_types_images or .file_type == "pdf")
         and any(file.explode(.),
-
+  
                 // exclude images taken with mobile cameras
-                not any(.scan.exiftool.fields,
-                        .key == "Model" and strings.istarts_with(.value, "Iphone")
-                )
+                not any(.scan.exiftool.fields, .key == "Model")
                 and any(ml.nlu_classifier(.scan.ocr.raw).intents,
                         .name == "callback_scam" and .confidence == "high"
                 )
@@ -37,6 +35,7 @@ source: |
       and not profile.by_sender().any_false_positives
     )
   )
+
 attack_types:
   - "Callback Phishing"
 tactics_and_techniques:

From aa306311306dcc23defdbc718675687831c13965 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Thu, 26 Oct 2023 00:06:06 -0400
Subject: [PATCH 2/2] Update callback_phishing_nlu_body_or_attachments.yml

---
 .../callback_phishing_nlu_body_or_attachments.yml          | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
index bd850896a51..0a2ae633dcf 100644
--- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml
+++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
@@ -11,8 +11,11 @@ source: |
         (.file_type in $file_types_images or .file_type == "pdf")
         and any(file.explode(.),
   
-                // exclude images taken with mobile cameras
-                not any(.scan.exiftool.fields, .key == "Model")
+                // exclude images taken with mobile cameras and screenshots from android
+                not any(.scan.exiftool.fields,
+                        .key == "Model"
+                        or .key == "Software" and strings.starts_with(.value, "Android")
+                )
                 and any(ml.nlu_classifier(.scan.ocr.raw).intents,
                         .name == "callback_scam" and .confidence == "high"
                 )