Exclude internal mailers where there's no SPF configured from HTML lo…

…gin portal attachment (#730)

Co-authored-by: Sam Scholten <[email protected]>

detection-rules/attachment_html_attachment_login_page.yml

@@ -44,7 +44,7 @@ source: |
                       )
                     )
                   )
-                  or 
+                  or
                   //Known phishing obfuscation
                   2 of (
                     // Enter password
@@ -53,14 +53,14 @@ source: |
                                       "*Enter passwor&#100*"
                         )
                     ),
-  
-                    // Forgotten my password  
-                    any(.scan.strings.strings,  
-                        strings.ilike(.,  
+
+                    // Forgotten my password
+                    any(.scan.strings.strings,
+                        strings.ilike(.,
                                       "*Forgotten my passwor&#100*"
                         )
                     ),
-  
+
                     // Sign in
                     any(.scan.strings.strings,
                         strings.ilike(., "*Sign i&#110*")
@@ -69,6 +69,20 @@ source: |
           )
   )
 
+  and (
+    (
+      // exclude internal mailers where there is no SPF configured.
+      // if the sender's root domain is an org domain, we
+      // ensure there's no SPF failures to protect against spoofs.
+      // we use root_domain because it's typically subdomains that are misconfigured
+      sender.email.domain.root_domain in $org_domains
+      and not any(distinct(headers.hops, .received_spf.verdict is not null),
+                  strings.ilike(.received_spf.verdict, "*fail")
+      )
+    )
+    or sender.email.domain.root_domain not in $org_domains
+  )
+
   // negate highly trusted sender domains unless they fail DMARC authentication
   and
   (
@@ -83,6 +97,7 @@ source: |
     or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
+
   and (
     (
       not profile.by_sender().solicited