From 1a9717378b2fbb5a856762a3fb98d5149eaea066 Mon Sep 17 00:00:00 2001
From: Josh Kamdjou <josh@sublimesecurity.com>
Date: Thu, 30 Nov 2023 11:01:03 -0500
Subject: [PATCH] Update embedded PDF JS (#1065)

---
 .../attachment_pdf_embedded_js.yml            | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/detection-rules/attachment_pdf_embedded_js.yml b/detection-rules/attachment_pdf_embedded_js.yml
index 65f7a188d9c..7a62da1dbb4 100644
--- a/detection-rules/attachment_pdf_embedded_js.yml
+++ b/detection-rules/attachment_pdf_embedded_js.yml
@@ -16,7 +16,33 @@ source: |
                   )
           )
   )
+
+  and (
+    (
+      profile.by_sender().prevalence in ("new", "outlier")
+      and not profile.by_sender().solicited
+    )
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
   
+tags:
+  - "Attack surface reduction"
 attack_types:
   - "Malware/Ransomware"
 tactics_and_techniques: