From 3a2ead9cec45d36692f6b9bdcb359cd8575da643 Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Thu, 14 Nov 2024 13:25:57 -0800
Subject: [PATCH] Update link_dynamics_form.yml (#2086)

---
 detection-rules/link_dynamics_form.yml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/detection-rules/link_dynamics_form.yml b/detection-rules/link_dynamics_form.yml
index fd2c2d0df4e..a1b9af5f18b 100644
--- a/detection-rules/link_dynamics_form.yml
+++ b/detection-rules/link_dynamics_form.yml
@@ -10,12 +10,17 @@ source: |
   and any(body.links,
           .href_url.domain.domain in ("ncv.microsoft.com", "customervoice.microsoft.com")
           and ml.link_analysis(.).effective_url.domain.domain == "customervoice.microsoft.com"
-
+  
           // confirm it is a form
-          and any(ml.link_analysis(.).final_dom.links,
-                  .href_url.domain.domain == "cdn.forms.office.net"
+          and (
+            any(ml.link_analysis(.).final_dom.links,
+                .href_url.domain.domain == "cdn.forms.office.net"
+            )
+            or strings.icontains(ml.link_analysis(.).final_dom.raw,
+                                 "cdn.forms.office.net"
+            )
           )
-
+          
           // analyze for credential phishing signals
           and (
             any(file.explode(ml.link_analysis(.).screenshot),