From 3316357e9d60d1de451c19dc9bbd518010082862 Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Thu, 26 Oct 2023 08:27:16 -0700
Subject: [PATCH] Updating rule: link_credential_phishing_secure_message.yml

Negating Proofpoint encrypted messages.
---
 .../link_credential_phishing_secure_message.yml        | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/detection-rules/link_credential_phishing_secure_message.yml b/detection-rules/link_credential_phishing_secure_message.yml
index 09618605c28..1ff0e5961c8 100644
--- a/detection-rules/link_credential_phishing_secure_message.yml
+++ b/detection-rules/link_credential_phishing_secure_message.yml
@@ -23,11 +23,15 @@ source: |
   // negate legitimate message senders
   and (
     sender.email.domain.root_domain not in ("protectedtrust.com")
-    and any(body.links,
-            .href_url.domain.root_domain != sender.email.domain.root_domain
-    )
+    and any(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
     // Negate known secure mailer(s)
     and not all(body.links, .href_url.domain.root_domain in ("mimecast.com", "cisco.com"))
+    and any(headers.hops,
+            .index == 0
+            and not any(.fields,
+                        strings.contains(.value, 'multipart/mixed; boundary="PROOFPOINT_BOUNDARY_1"')
+            )
+    )
   )
   and (
     profile.by_sender().prevalence in ("new", "outlier")