FP Tune: link_qr_code_suspicious_language_fts.yml (#788)

detection-rules/link_qr_code_suspicious_language_fts.yml

@@ -7,19 +7,22 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-
+  
   // check image attachments for QR code, will want to add message.screenshot functionality here when it's ready
+  // and length(attachments) < 10
   and any(attachments,
           .file_type in $file_types_images
           and any(file.explode(.),
                   .scan.qr.type == "url"
-
+  
                   // recipient email address is present in the URL, a common tactic used in credential phishing attacks and the url is not in $org_domains
-                  and any(recipients.to, strings.icontains(..scan.qr.data, .email.email))
+                  and any(recipients.to,
+                          strings.icontains(..scan.qr.data, .email.email) and .email.domain.valid
+                  )
                   and .scan.qr.url.domain.root_domain not in $org_domains
           )
   )
-
+  
   // NLU has identified cred_theft language with high confidence
   and (
     any(ml.nlu_classifier(body.current_thread.text).intents,
@@ -40,7 +43,7 @@ source: |
       )
     )
   )
-
+  
   // first-time sender
   and (
     (