Update impersonation_microsoft_credential_theft.yml (#2242)

detection-rules/impersonation_microsoft_credential_theft.yml

@@ -58,6 +58,12 @@ source: |
     and headers.auth_summary.dmarc.details.from.domain == "planner.office365.com"
   )
   
+  // message is not from sharepoint actual (additional check in case DMARC check above fails to bail out)
+  and not (
+    strings.ilike(headers.message_id, '<Share-*', '<MassDelete-*')
+    and strings.ends_with(headers.message_id, '@odspnotify>')
+  )
+
   // negate highly trusted sender domains unless they fail DMARC authentication
   and (
     (