Negate FP: body_business_email_compromise_unsolicited.yml (#802)

detection-rules/body_business_email_compromise_unsolicited.yml

@@ -27,7 +27,22 @@ source: |
       )
     ),
   )
-
+  
+  // negate "via" senders via dmarc authentication or gmail autoforwards
+  and (
+    not (
+      any(distinct(headers.hops, .authentication_results.dmarc is not null),
+          strings.ilike(.authentication_results.dmarc, "pass")
+          or (
+            not any([headers.return_path.email],
+                    strings.ilike(headers.return_path.local_part, "*+caf_=*")
+            )
+            and strings.contains(sender.display_name, "via")
+          )
+      )
+    )
+  )
+  
   // unsolicited
   and (
     (
@@ -39,6 +54,7 @@ source: |
       and sender.email.domain.domain not in $recipient_domains
     )
   )
+
 attack_types:
   - "BEC/Fraud"
 tactics_and_techniques: