From d970f3620a4aa54856d7c75d6504dd4631bb31de Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Wed, 13 Sep 2023 17:55:07 -0400
Subject: [PATCH] FP Tune: link_qr_code_suspicious_language_fts.yml (#788)

---
 .../link_qr_code_suspicious_language_fts.yml        | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml
index 9b000eade0c..70a5f553c6b 100644
--- a/detection-rules/link_qr_code_suspicious_language_fts.yml
+++ b/detection-rules/link_qr_code_suspicious_language_fts.yml
@@ -7,19 +7,22 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-
+  
   // check image attachments for QR code, will want to add message.screenshot functionality here when it's ready
+  // and length(attachments) < 10
   and any(attachments,
           .file_type in $file_types_images
           and any(file.explode(.),
                   .scan.qr.type == "url"
-
+  
                   // recipient email address is present in the URL, a common tactic used in credential phishing attacks and the url is not in $org_domains
-                  and any(recipients.to, strings.icontains(..scan.qr.data, .email.email))
+                  and any(recipients.to,
+                          strings.icontains(..scan.qr.data, .email.email) and .email.domain.valid
+                  )
                   and .scan.qr.url.domain.root_domain not in $org_domains
           )
   )
-
+  
   // NLU has identified cred_theft language with high confidence
   and (
     any(ml.nlu_classifier(body.current_thread.text).intents,
@@ -40,7 +43,7 @@ source: |
       )
     )
   )
-
+  
   // first-time sender
   and (
     (