Merge branch 'main' into bfilar.sender_domain_whois_signal

detection-rules/impersonation_amazon.yml

@@ -25,9 +25,15 @@ source: |
       and sender.email.domain.root_domain in $free_email_providers
     )
   )
+  // negate listservs
+  and not (
+      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
+      and strings.contains(sender.display_name, "via")
+  )
   and sender.email.domain.root_domain not in~ (
     'amazon.com',
     'amazon.com.au',
+    'amazon.com.be',
     'amazon.co.uk',
     'amazon.de',
     'amazon.es',

detection-rules/impersonation_github.yml

@@ -13,6 +13,11 @@ source: |
     or strings.ilike(sender.email.email, '*github*')
     or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
   )
+  // negating listservs
+  and not (
+      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
+      and strings.contains(sender.display_name, "via")
+  )
   and sender.email.domain.root_domain not in (
     'github.com',
     'gitlab.com',

detection-rules/link_credential_phishing_intent_and_other_indicators.yml

@@ -279,7 +279,8 @@ source: |
           // this is common in link tracking, both for
           // benign marketing traffic but also attackers
           any(recipients.to,
-              strings.icontains(..href_url.url, .email.local_part)
+              .email.domain.valid
+              and strings.icontains(..href_url.url, .email.local_part)
               and strings.icontains(..href_url.url, .email.domain.domain)
           )
   )
@@ -290,12 +291,12 @@ source: |
   and (
     // freemail providers should never be sending this type of email
     sender.email.domain.domain in $free_email_providers
-
+  
     // if not freemail, it's suspicious if the sender's root domain
     // doesn't match any links in the body
     or all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
   )
-
+  
   // first-time sender
   and (
     (