From 5b75f1f4d96d85a15d9f4c835281722e315cd2a9 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Wed, 20 Sep 2023 11:13:50 -0400
Subject: [PATCH] Negate FP: link_credential_phishing_voicemail_language.yml

Negating automatic replies.
---
 ...credential_phishing_voicemail_language.yml | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml
index 0df96e25fe3..a5eb16d114e 100644
--- a/detection-rules/link_credential_phishing_voicemail_language.yml
+++ b/detection-rules/link_credential_phishing_voicemail_language.yml
@@ -25,7 +25,11 @@ source: |
       all(body.links,
           .href_url.domain.root_domain != sender.email.domain.root_domain
           and .href_url.domain.root_domain not in $org_domains
-          and .href_url.domain.root_domain not in ("unitelvoice.com", "googleapis.com", "dialmycalls.com")
+          and .href_url.domain.root_domain not in (
+            "unitelvoice.com",
+            "googleapis.com",
+            "dialmycalls.com"
+          )
       )
     ),
     (
@@ -34,6 +38,20 @@ source: |
     ),
   )
   and sender.email.domain.root_domain not in ("magicjack.com", "unitelvoice.com")
+  
+  // negating legit replies
+  and not (
+    (
+      strings.istarts_with(subject.subject, "RE:")
+      // out of office auto-reply
+      // the NLU model will handle these better natively soon
+      or strings.istarts_with(subject.subject, "Automatic reply:")
+    )
+    and (
+      length(headers.references) > 0
+      or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
+    )
+  )
   and (
     (
       sender.email.domain.root_domain in $free_email_providers