From cfbd6ecc6b94416e898a284b2601d838eb91b83a Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Mon, 6 Nov 2023 12:40:00 -0500
Subject: [PATCH 1/2] Update body_advance_fee_new_sender.yml

---
 detection-rules/body_advance_fee_new_sender.yml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/detection-rules/body_advance_fee_new_sender.yml b/detection-rules/body_advance_fee_new_sender.yml
index 35ce0ca2aa7..6b1f8fe3156 100644
--- a/detection-rules/body_advance_fee_new_sender.yml
+++ b/detection-rules/body_advance_fee_new_sender.yml
@@ -23,8 +23,16 @@ source: |
     )
     or sender.email.domain.tld in $suspicious_tlds
   )
-  and any(ml.nlu_classifier(body.current_thread.text).tags,
-          .name == "advance_fee" and .confidence in ("medium", "high")
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).tags,
+        .name == "advance_fee" and .confidence in ("medium", "high")
+    )
+    or (
+      length(body.current_thread.text) < 200
+      and regex.icontains(body.current_thread.text,
+                          '(donation|inheritence|\$\d,\d\d\d\,\d\d\d|lottery)'
+      )
+    )
   )
   and (
     profile.by_sender().prevalence in ("new", "outlier")

From 8a10530fb5204f86b892cb7a511b31c2c79466a7 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Tue, 30 Jan 2024 11:16:41 -0500
Subject: [PATCH 2/2] Update body_advance_fee_new_sender.yml

---
 detection-rules/body_advance_fee_new_sender.yml | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/detection-rules/body_advance_fee_new_sender.yml b/detection-rules/body_advance_fee_new_sender.yml
index 6b1f8fe3156..963d4def4a9 100644
--- a/detection-rules/body_advance_fee_new_sender.yml
+++ b/detection-rules/body_advance_fee_new_sender.yml
@@ -30,18 +30,16 @@ source: |
     or (
       length(body.current_thread.text) < 200
       and regex.icontains(body.current_thread.text,
-                          '(donation|inheritence|\$\d,\d\d\d\,\d\d\d|lottery)'
+                          '(donation|inheritence|\$\d,\d{3}\,\d{3}|lottery)'
       )
     )
   )
   and (
-    profile.by_sender().prevalence in ("new", "outlier")
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
+      not profile.by_sender().solicited
+      or profile.by_sender().any_messages_malicious_or_spam
     )
-  )
-
+  
+    and not profile.by_sender().any_false_positives
 attack_types:
   - "BEC/Fraud"
 tactics_and_techniques: