From 9615ee363e741a4601177566b55f783d3f902a72 Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Thu, 19 Dec 2024 14:30:32 -0800
Subject: [PATCH] Update impersonation_microsoft_credential_theft.yml (#2242)

---
 .../impersonation_microsoft_credential_theft.yml            | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/detection-rules/impersonation_microsoft_credential_theft.yml b/detection-rules/impersonation_microsoft_credential_theft.yml
index fc4d734c2be..6874acdcd09 100644
--- a/detection-rules/impersonation_microsoft_credential_theft.yml
+++ b/detection-rules/impersonation_microsoft_credential_theft.yml
@@ -58,6 +58,12 @@ source: |
     and headers.auth_summary.dmarc.details.from.domain == "planner.office365.com"
   )
   
+  // message is not from sharepoint actual (additional check in case DMARC check above fails to bail out)
+  and not (
+    strings.ilike(headers.message_id, '<Share-*', '<MassDelete-*')
+    and strings.ends_with(headers.message_id, '@odspnotify>')
+  )
+
   // negate highly trusted sender domains unless they fail DMARC authentication
   and (
     (