From 7bd862d63b73ea35633d8b2825ce9b798b6feba8 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Tue, 19 Sep 2023 14:47:58 -0400
Subject: [PATCH] Update
 link_google_open_redirect_with_suspicious_indicators.yml (#749)

---
 ...le_open_redirect_with_suspicious_indicators.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml b/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml
index e91911a9a39..a96f0c4381d 100644
--- a/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml
+++ b/detection-rules/link_google_open_redirect_with_suspicious_indicators.yml
@@ -6,11 +6,13 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  // All attachments are images
-  and length(attachments) > 0
-  and all(attachments, .file_type in $file_types_images)
+  // All attachments are images or 0 attachments
+  and (
+    (length(attachments) > 0 and all(attachments, .file_type in $file_types_images))
+    or length(attachments) == 0
+  )
   and sender.email.domain.root_domain not in $org_domains
-
+  
   // not a reply
   and (
     length(headers.references) == 0
@@ -52,7 +54,7 @@ source: |
     (
       any(ml.nlu_classifier(body.current_thread.text).entities, .name == "urgency")
     ),
-
+  
     // White font is found in html raw
     (
       length(body.html.display_text) < 500
@@ -60,7 +62,7 @@ source: |
                           '<div style="color: #fff(fff)?.[^<]+<\/div><\/div><\/body><\/html>$'
       )
     )
-
+  
     // domains using .app matching this pattern observed abusing google's redirect
     or regex.icontains(sender.email.domain.domain, '[a-z]{3,}\.\d{5,}[^\.]+\.app$')
   )