From ef7fca4c30b844925fe5c4edcb67424af3436484 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 25 Oct 2024 09:06:40 -0400 Subject: [PATCH] Update callback_phishing_nlu_body_or_attachments.yml --- ...lback_phishing_nlu_body_or_attachments.yml | 33 +++++++++++-------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml index 75d5f2e3000..33f208a7899 100644 --- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml +++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml @@ -9,21 +9,26 @@ source: | and ( any(attachments, (.file_type in $file_types_images or .file_type == "pdf") - and any(file.explode(.), + and ( + any(ml.nlu_classifier(beta.ocr(.).text).intents, + .name == "callback_scam" and .confidence in ("medium", "high") + ) + or any(file.explode(.), - // exclude images taken with mobile cameras and screenshots from android - not any(.scan.exiftool.fields, - .key == "Model" - or ( - .key == "Software" - and strings.starts_with(.value, "Android") - ) - or (.key == "UserComment" and .value == "Screenshot") - ) - and any(ml.nlu_classifier(.scan.ocr.raw).intents, - .name == "callback_scam" - and .confidence in ("medium", "high") - ) + // exclude images taken with mobile cameras and screenshots from android + not any(.scan.exiftool.fields, + .key == "Model" + or ( + .key == "Software" + and strings.starts_with(.value, "Android") + ) + or (.key == "UserComment" and .value == "Screenshot") + ) + and any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "callback_scam" + and .confidence in ("medium", "high") + ) + ) ) and ( // negate noreply unless a logo is found in the attachment