From 1ee74aece7581953caac16d34a3b3cca357cfc2d Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Tue, 3 Oct 2023 14:00:52 -0700
Subject: [PATCH] Updating rule:
 attachment_free_subdomain_suspicious_link_language.yml (#767)

---
 .../attachment_free_subdomain_suspicious_link_language.yml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/attachment_free_subdomain_suspicious_link_language.yml b/detection-rules/attachment_free_subdomain_suspicious_link_language.yml
index 11fa2309c25..628ae4b8c27 100644
--- a/detection-rules/attachment_free_subdomain_suspicious_link_language.yml
+++ b/detection-rules/attachment_free_subdomain_suspicious_link_language.yml
@@ -15,7 +15,7 @@ source: |
   and length(recipients.bcc) == 0
   and any(body.links,
           any(file.explode(beta.linkanalysis(.).screenshot),
-              any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft")
+              any(ml.nlu_classifier(.scan.ocr.raw).intents, .name == "cred_theft" and .confidence != "low")
           )
   )
 attack_types: