From d42a67ee37c90748d1fe99dcf62c5047bbaf8973 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Wed, 13 Nov 2024 17:59:04 -0500
Subject: [PATCH] Update credential_phishing_one_drive_impersonation.yml

---
 .../credential_phishing_one_drive_impersonation.yml          | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/detection-rules/credential_phishing_one_drive_impersonation.yml b/detection-rules/credential_phishing_one_drive_impersonation.yml
index 192b5ffcc87..20d3c25de33 100644
--- a/detection-rules/credential_phishing_one_drive_impersonation.yml
+++ b/detection-rules/credential_phishing_one_drive_impersonation.yml
@@ -13,6 +13,7 @@ source: |
                                   "one?drive"
       ) < 2
     )
+    or regex.imatch(body.current_thread.text, '[0o]ne\s?dr[il1]ve.*')
     // or one drive is in the subject with a freefile host, additional suspicious language, or suspicious display text
     or (
       regex.icontains(strings.replace_confusables(subject.subject),
@@ -27,7 +28,7 @@ source: |
         or regex.contains(subject.subject, '(shared.{0,30}document)')
         or any(body.links,
                regex.icontains(.display_text,
-                               "((view|show|access).document|review doc|view doc|view.attached)"
+                               "((view|show|access).(?:report|document)|review doc|view doc|view.attached)"
                )
         )
       )
@@ -71,7 +72,7 @@ source: |
   )
   and not profile.by_sender().solicited
   and not profile.by_sender().any_false_positives
-  
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: