From 8836f3185578c7675463b09386b5427344ca1ca4 Mon Sep 17 00:00:00 2001
From: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Date: Wed, 18 Oct 2023 16:39:25 -0600
Subject: [PATCH] Update regex in rules to remove line-based matches

---
 detection-rules/attachment_eml_html_attachment_portal.yml       | 2 +-
 .../recipients_undisclosed_nlu_cred_theft_low_rep_links.yml     | 2 +-
 signals/sender/sender_display_is_upper.yml                      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/detection-rules/attachment_eml_html_attachment_portal.yml b/detection-rules/attachment_eml_html_attachment_portal.yml
index 2bcdd9998c4..c52cc1a2dee 100644
--- a/detection-rules/attachment_eml_html_attachment_portal.yml
+++ b/detection-rules/attachment_eml_html_attachment_portal.yml
@@ -8,7 +8,7 @@ source: |
 
   // exclude bounce backs & read receipts
   and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
-  and not regex.icontains(subject.subject, "^(undeliverable|read:)")
+  and not regex.imatch(subject.subject, "(undeliverable|read:).*")
   and not any(attachments, .content_type == "message/delivery-status")
 
   // if the "References" is in the body of the message, it's probably a bounce
diff --git a/detection-rules/recipients_undisclosed_nlu_cred_theft_low_rep_links.yml b/detection-rules/recipients_undisclosed_nlu_cred_theft_low_rep_links.yml
index 6c0073e7007..0d13d7d1975 100644
--- a/detection-rules/recipients_undisclosed_nlu_cred_theft_low_rep_links.yml
+++ b/detection-rules/recipients_undisclosed_nlu_cred_theft_low_rep_links.yml
@@ -13,7 +13,7 @@ source: |
         regex.icontains(.display_text,
                         '(view|click|download|goto)?(attachment|download|file|online|document)s?'
         )
-        or all(body.links, regex.contains(.display_text, "^[A-Z ]+$"))
+        or all(body.links, regex.match(.display_text, "[A-Z ]+"))
     )
   )
   and any(ml.nlu_classifier(body.current_thread.text).intents,
diff --git a/signals/sender/sender_display_is_upper.yml b/signals/sender/sender_display_is_upper.yml
index 04a29ffc9e5..38108d0d97e 100644
--- a/signals/sender/sender_display_is_upper.yml
+++ b/signals/sender/sender_display_is_upper.yml
@@ -1,4 +1,4 @@
 name: "Sender: Display Name Contains All Capital Letters"
 type: "query"
 source: |
-  regex.match(sender.display_name, "^[^a-z]*[A-Z][^a-z]*$")
\ No newline at end of file
+  regex.match(sender.display_name, "[^a-z]*[A-Z][^a-z]*")
\ No newline at end of file