From daadfc739ab14399504d98e87cf9fd6393ce6925 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Wed, 18 Oct 2023 18:31:26 -0400
Subject: [PATCH] Update detection-rules/body_microsoft_logo_bing_redirect.yml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
---
 detection-rules/body_microsoft_logo_bing_redirect.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/detection-rules/body_microsoft_logo_bing_redirect.yml b/detection-rules/body_microsoft_logo_bing_redirect.yml
index f115d7d27f6..971e62d5e26 100644
--- a/detection-rules/body_microsoft_logo_bing_redirect.yml
+++ b/detection-rules/body_microsoft_logo_bing_redirect.yml
@@ -44,7 +44,10 @@ source: |
   )
   
   // Bing redirect
-  and any(body.links, any(.href_url.rewrite.encoders, strings.contains(., "bing_open_redirect")))
+  and any(body.links,
+      (.href_url.domain.root_domain == 'bing.com' and .href_url.path =~ '/ck/a')
+      or "bing_open_redirect" in .href_url.rewrite.encoders
+  )
   and sender.email.domain.root_domain not in $org_domains
   and sender.email.domain.root_domain not in (
     "bing.com",