From f286a0de9fbe465e2b2871e6ea519feafbcd15cc Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Tue, 8 Oct 2024 16:28:14 +0000
Subject: [PATCH] Scheduled cleanup

Removed 1947
---
 .../impersonation_employee_payroll_fraud.yml  | 60 -------------------
 1 file changed, 60 deletions(-)
 delete mode 100644 detection-rules/impersonation_employee_payroll_fraud.yml

diff --git a/detection-rules/impersonation_employee_payroll_fraud.yml b/detection-rules/impersonation_employee_payroll_fraud.yml
deleted file mode 100644
index 02b0e77a12a..00000000000
--- a/detection-rules/impersonation_employee_payroll_fraud.yml
+++ /dev/null
@@ -1,60 +0,0 @@
-name: "Employee Impersonation: Payroll Fraud"
-description: |
-  This rule detects messages impersonating employees, from unsolicited senders attempting to reroute payroll
-  or alter payment details.
-type: "rule"
-severity: "high"
-source: |
-  type.inbound
-
-  // ensure the display name contains a space to avoid single named process accounts eg. 'billing, payment'
-  and strings.contains(sender.display_name, " ")
-  and sender.display_name in~ $org_display_names
-  and length(attachments) == 0
-  and length(body.links) < 10
-  and length(body.current_thread.text) < 800
-  and (
-    sender.email.domain.root_domain not in $org_domains
-    or sender.email.domain.root_domain in $free_email_providers
-  )
-  and 1 of (
-    regex.icontains(body.current_thread.text,
-                    '(pay\s?(roll|check|date|day)|direct deposit|\bACH\b|\bdd\b|gehalt|salario|salary)'
-    ),
-    regex.icontains(subject.subject,
-                    '(pay\s?(roll|check|date|day)|direct deposit|\bACH\b|\bdd\b|gehalt|salario|salary)'
-    )
-  )
-  and (
-    not profile.by_sender().solicited
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
-  )
-  and not profile.by_sender().any_false_positives
-
-  // negate highly trusted sender domains unless they fail DMARC authentication
-  and (
-    (
-      sender.email.domain.root_domain in $high_trust_sender_root_domains
-      and (
-        any(distinct(headers.hops, .authentication_results.dmarc is not null),
-            strings.ilike(.authentication_results.dmarc, "*fail")
-        )
-      )
-    )
-    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
-  )
-attack_types:
-  - "BEC/Fraud"
-tactics_and_techniques:
-  - "Impersonation: Employee"
-  - "Free email provider"
-  - "Social engineering"
-detection_methods:
-  - "Content analysis"
-  - "Sender analysis"
-id: "2beb7d85-dfe3-5ecc-9b2a-d7416a3ef992"
-testing_pr: 1947
-testing_sha: 63161179308e0502bc3f292d8d0e1f4c7b9998fe