From 1e9d716da9e3b1eb40ebb24646060a557e4289a8 Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Tue, 21 Nov 2023 08:28:02 -0800
Subject: [PATCH] Update impersonation_human_resources.yml (#1006)

Co-authored-by: Sam Scholten <sam@sublimesecurity.com>
---
 detection-rules/impersonation_human_resources.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml
index 0e4a77e8fe4..316da757473 100644
--- a/detection-rules/impersonation_human_resources.yml
+++ b/detection-rules/impersonation_human_resources.yml
@@ -12,7 +12,15 @@ source: |
   // Negate common marketing mailers
   and not regex.icontains(sender.display_name, 'HR (Events|Expert)')
   
-  and  (0 < length(body.links) < 10 or length(attachments) > 0)
+  and (
+    (0 < length(body.links) < 10 or length(attachments) > 0)
+    // mass-mailer infra abuse results in an inflated link count due to mailer templates that include links for unsubbing, changing preferences, etc.
+    // loosening the link count check as a result ensures we fire even with these conditions
+    or (
+      any(body.links, strings.ilike(.display_text, "*unsubscribe*", "update your preferences", "add us to your address book"))
+      and 0 < length(body.links) < 15
+    )
+  )
   // Request and Urgency
   and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
   and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")