sublime-security · jkamdjou · Nov 17, 2023 · Nov 15, 2023 · Nov 16, 2023 · Nov 17, 2023
@@ -1,4 +1,4 @@
-name: "Free subdomain link with login or captcha (first-time sender)"
+name: "Free subdomain link with login or captcha (first-time sender, unsolicited)"
 description: |
   Message contains a link that uses a free subdomain provider, and has a login or captcha on the page.
 type: "rule"
@@ -29,12 +29,19 @@ source: |
   // exclude FP prone senders
   and sender.email.domain.root_domain not in ("sharepointonline.com")
   and (
-    profile.by_sender().prevalence in ("new", "outlier")
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
+    (
+      profile.by_sender().prevalence in ("new", "outlier")
+      or (
+        profile.by_sender().any_messages_malicious_or_spam
+        and not profile.by_sender().any_false_positives
+      )
+    )
+    and (
+      not profile.by_sender().solicited
+      or profile.by_sender().any_messages_malicious_or_spam
     )
   )
+  and not profile.by_sender().any_false_positives
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: