From 2dc8b78db03c847ee87a6368ea0c9459fe64ef42 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Wed, 20 Sep 2023 11:09:07 -0400
Subject: [PATCH 1/2] Negate FP: body_business_email_compromise_unsolicited.yml

Adding dmarc or gmail autoforward checks in conjunction with "via" in display name
---
 ...ody_business_email_compromise_unsolicited.yml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/detection-rules/body_business_email_compromise_unsolicited.yml b/detection-rules/body_business_email_compromise_unsolicited.yml
index f47916f189f..911d91397be 100644
--- a/detection-rules/body_business_email_compromise_unsolicited.yml
+++ b/detection-rules/body_business_email_compromise_unsolicited.yml
@@ -27,7 +27,20 @@ source: |
       )
     ),
   )
-
+  
+  // negate "via" senders via dmarc authentication or gmail autoforwards
+  and (
+    (
+      not any(distinct(headers.hops, .authentication_results.dmarc is not null),
+          strings.ilike(.authentication_results.dmarc, "pass")
+          or not any([headers.return_path.email],
+                 strings.ilike(headers.return_path.local_part, "*+caf_=*")
+          )
+      )
+      and strings.contains(sender.display_name, "via")
+    )
+  )
+  
   // unsolicited
   and (
     (
@@ -39,6 +52,7 @@ source: |
       and sender.email.domain.domain not in $recipient_domains
     )
   )
+
 attack_types:
   - "BEC/Fraud"
 tactics_and_techniques:

From e211608ffe515fbc85047450692ae8dcf515d4d4 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Wed, 20 Sep 2023 11:41:58 -0400
Subject: [PATCH 2/2] Update body_business_email_compromise_unsolicited.yml

---
 .../body_business_email_compromise_unsolicited.yml   | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/detection-rules/body_business_email_compromise_unsolicited.yml b/detection-rules/body_business_email_compromise_unsolicited.yml
index 911d91397be..a3181b43bd8 100644
--- a/detection-rules/body_business_email_compromise_unsolicited.yml
+++ b/detection-rules/body_business_email_compromise_unsolicited.yml
@@ -30,14 +30,16 @@ source: |
   
   // negate "via" senders via dmarc authentication or gmail autoforwards
   and (
-    (
-      not any(distinct(headers.hops, .authentication_results.dmarc is not null),
+    not (
+      any(distinct(headers.hops, .authentication_results.dmarc is not null),
           strings.ilike(.authentication_results.dmarc, "pass")
-          or not any([headers.return_path.email],
-                 strings.ilike(headers.return_path.local_part, "*+caf_=*")
+          or (
+            not any([headers.return_path.email],
+                    strings.ilike(headers.return_path.local_part, "*+caf_=*")
+            )
+            and strings.contains(sender.display_name, "via")
           )
       )
-      and strings.contains(sender.display_name, "via")
     )
   )