From 893311e02889f7e6ae7992c70521d75dd208e7f2 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Thu, 19 Oct 2023 20:02:20 +0000
Subject: [PATCH] Sync from PR#668

New rule: Microsoft SCL very high and message not in spam folder by @morriscode
https://github.com/sublime-security/sublime-rules/pull/668
Source SHA ca483e4ba7cadd9dea3b5be7636d9e8ab14fa026
Triggered by @morriscode
---
 .../spam_high_microsoft_scl_not_in_spam_folder.yml    | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/detection-rules/spam_high_microsoft_scl_not_in_spam_folder.yml b/detection-rules/spam_high_microsoft_scl_not_in_spam_folder.yml
index 0d8e1ec6d05..af908a3fe56 100644
--- a/detection-rules/spam_high_microsoft_scl_not_in_spam_folder.yml
+++ b/detection-rules/spam_high_microsoft_scl_not_in_spam_folder.yml
@@ -13,13 +13,10 @@ source: |
   )
   and external.spam is null
   and (
-    (
-      sender.email.domain.root_domain in $free_email_providers
-      and sender.email.email not in $sender_emails
-    )
+    profile.by_sender().prevalence in ("new", "outlier")
     or (
-      sender.email.domain.root_domain not in $free_email_providers
-      and sender.email.domain.domain not in $sender_domains
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
     )
   )
 attack_types:
@@ -29,4 +26,4 @@ detection_methods:
   - "Sender analysis"
 id: "801a5470-0498-55ba-a590-4cb105038e95"
 testing_pr: 668
-testing_sha: f715f1823ea70bb122765225d74d001fc406357c
+testing_sha: ca483e4ba7cadd9dea3b5be7636d9e8ab14fa026