[PR #3425] modified rule: Brand impersonation: Microsoft with low reputation links

github-actions[bot] · github-actions[bot] · commit 8dfa0d6ed884 · 2025-11-07T00:50:14.000Z
diff --git a/detection-rules/3425_link_microsoft_low_reputation.yml b/detection-rules/3425_link_microsoft_low_reputation.yml
@@ -8,7 +8,7 @@ source: |
  // suspicious link 
  and any(body.links,
          (
-           .href_url.domain.tld in $suspicious_tlds
+           .href_url.domain.tld == "ru"
            or .href_url.domain.root_domain not in $tranco_1m
            or .href_url.domain.domain in $free_file_hosts
            or .href_url.domain.root_domain in $free_file_hosts
@@ -18,7 +18,7 @@ source: |
            // account for URL rewrites
            or (
              any(.href_url.query_params_decoded["domain"],
-                 strings.parse_domain(.).tld in~ $suspicious_tlds
+                 strings.parse_domain(.).tld == "ru"
                  or strings.parse_domain(.).root_domain not in~ $tranco_1m
                  or strings.parse_domain(.).domain in~ $free_file_hosts
                  or strings.parse_domain(.).root_domain in~ $free_file_hosts
@@ -449,4 +449,4 @@ detection_methods:
 id: "5095cc4d-1c45-5a0c-a28c-eed6f09fd14f"
 og_id: "b59201b6-f253-55a6-9c0a-e1500a32a751"
 testing_pr: 3425
-testing_sha: bc814a1f53e9b9a9367ade77147a069a402b263f
+testing_sha: 3b0b60a81a6de6f6f5fb6857bcc4898282d57636
