diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml index 75d5f2e3000..33f208a7899 100644 --- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml +++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml @@ -9,21 +9,26 @@ source: | and ( any(attachments, (.file_type in $file_types_images or .file_type == "pdf") - and any(file.explode(.), + and ( + any(ml.nlu_classifier(beta.ocr(.).text).intents, + .name == "callback_scam" and .confidence in ("medium", "high") + ) + or any(file.explode(.), - // exclude images taken with mobile cameras and screenshots from android - not any(.scan.exiftool.fields, - .key == "Model" - or ( - .key == "Software" - and strings.starts_with(.value, "Android") - ) - or (.key == "UserComment" and .value == "Screenshot") - ) - and any(ml.nlu_classifier(.scan.ocr.raw).intents, - .name == "callback_scam" - and .confidence in ("medium", "high") - ) + // exclude images taken with mobile cameras and screenshots from android + not any(.scan.exiftool.fields, + .key == "Model" + or ( + .key == "Software" + and strings.starts_with(.value, "Android") + ) + or (.key == "UserComment" and .value == "Screenshot") + ) + and any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "callback_scam" + and .confidence in ("medium", "high") + ) + ) ) and ( // negate noreply unless a logo is found in the attachment