Merge branch 'main' into josh.ooo_reply

sublime-security · Sep 20, 2023 · da53e69 · da53e69
2 parents d3ac245 + fdf9156
commit da53e69
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/detection-rules/link_credential_phishing_secure_message.yml b/detection-rules/link_credential_phishing_secure_message.yml
@@ -8,26 +8,28 @@ source: |
   and any(ml.nlu_classifier(body.current_thread.text).intents,
           .name == "cred_theft" and .confidence == "high"
   )
-
+  
   // ----- other suspicious signals here -----
   and strings.icontains(body.html.display_text, "secure message")
-
+  
   // todo: automated display name / human local part
   // todo: suspicious link (unfurl click trackers)
-
+  
   // ----------
-
+  
   // has at least 1 link
   and length(body.links) > 0
-
+  
   // negate legitimate message senders
   and (
     sender.email.domain.root_domain not in ("protectedtrust.com")
     and any(body.links,
             .href_url.domain.root_domain != sender.email.domain.root_domain
     )
+    // Negate known secure mailer(s)
+    and not all(body.links, .href_url.domain.root_domain in ("mimecast.com"))
   )
-
+  
   // first-time sender
   and (
     (