Update brand_impersonation_sharepoint_pdf_cred_theft.yml (#3486)

zoomequipd · web-flow · commit 7afada347b56 · 2025-11-07T18:07:23.000Z
diff --git a/detection-rules/brand_impersonation_sharepoint_pdf_cred_theft.yml b/detection-rules/brand_impersonation_sharepoint_pdf_cred_theft.yml
@@ -8,12 +8,8 @@ source: |
     any(attachments,
         (
           .file_type == "pdf"
-          and any(ml.logo_detect(.).brands,
-                  .name == "Microsoft SharePoint"
-                  and any(attachments,
-                          any(file.explode(.), length(.scan.url.urls) > 0)
-                  )
-          )
+          and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
+          and any(file.explode(.), length(.scan.url.urls) > 0)
           and any(file.explode(.),
                   any(ml.nlu_classifier(.scan.ocr.raw).intents,
                       .name == "cred_theft" and .confidence == "high"
