From ef91b1a7c138d8eb566ac0871d7c6d73fd3fd8be Mon Sep 17 00:00:00 2001
From: Josh Kamdjou <josh@sublimesecurity.com>
Date: Tue, 21 Nov 2023 10:44:38 -0500
Subject: [PATCH] Add unsolicited (#1009)

---
 detection-rules/attachment_any_html_new_sender.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/detection-rules/attachment_any_html_new_sender.yml b/detection-rules/attachment_any_html_new_sender.yml
index 303df0db404..24b9045117d 100644
--- a/detection-rules/attachment_any_html_new_sender.yml
+++ b/detection-rules/attachment_any_html_new_sender.yml
@@ -12,7 +12,10 @@ source: |
   type.inbound
   and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html")
   and (
-    profile.by_sender().prevalence in ("new", "outlier")
+    (
+      profile.by_sender().prevalence in ("new", "outlier")
+      and not profile.by_sender().solicited
+    )
     or profile.by_sender().any_messages_malicious_or_spam
   )
   and not profile.by_sender().any_false_positives