diff --git a/detection-rules/headers_replyto_mismatch_sus_tld.yml b/detection-rules/headers_replyto_mismatch_sus_tld.yml index 85e5a5d2684..393a0ef1dc7 100644 --- a/detection-rules/headers_replyto_mismatch_sus_tld.yml +++ b/detection-rules/headers_replyto_mismatch_sus_tld.yml @@ -8,81 +8,9 @@ source: | and ( any(headers.reply_to, .email.email != sender.email.email - and any([.email.domain.tld, sender.email.domain.tld], - - // https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/spam-tlds-ublock.txt - . in ( - "ae", - "agency", - "asia", - "autos", - "bar", - "beauty", - "bid", - "bio", - "biz", - "boats", - "boston", - "boutique", - "buzz", - "cf", - "cfd", - "cn", - "cyou", - "dad", - "dance", - "degree", - "discount", - "esq", - "fit", - "foo", - "fun", - "fyi", - "gdn", - "gq", - "guru", - "hair", - "haus", - "in", - "jp", - "live", - "loan", - "loans", - "makeup", - "market", - "ml", - "mom", - "monster", - "mov", - "name", - "nexus", - "okinawa", - "ooo", - "phd", - "prof", - "pw", - "quest", - "rest", - "review", - "ru", - "sbs", - "skin", - "space", - "surf", - "tk", - "tokyo", - "top", - "uno", - "voto", - "website", - "wiki", - "work", - "wtf", - "xyz", - "zip", - "zone" - ) - ) + and .email.domain.domain != sender.email.domain.domain + and not strings.icontains(sender.display_name, "marketing") + and any([.email.domain.tld, sender.email.domain.tld], . in $suspicious_tlds) ) ) tactics_and_techniques: @@ -92,4 +20,4 @@ detection_methods: - "Sender analysis" id: "a5f5b25a-0b7d-5ecc-8cf8-295a8433bad1" testing_pr: 782 -testing_sha: 6cb6d80dadb1c649790026ac7a291629fb539604 +testing_sha: 9611a3e517c280c98beea720aa4b32c536232478