Refactor link detection rules for Punycode characters (#3502)

Author: morriscode

detection-rules/link_contains_punycode_characters.yml

@@ -9,26 +9,13 @@ authors:
 severity: "medium"
 source: |
   type.inbound
-  and any(body.links, .href_url.domain.punycode is not null and .href_url.domain.valid == true)
   and (
-    (
-      // include automated emails
-      sender.display_name == "WordPress"
-      or sender.email.local_part == "wordpress"
-    )
-
-    or (
-      (
-        profile.by_sender().prevalence in ("new", "outlier")
-        and not profile.by_sender().solicited
-      )
-      or (
-        profile.by_sender().any_messages_malicious_or_spam
-        and not profile.by_sender().any_messages_benign
-      )
+    any(body.links,
+        .href_url.domain.punycode is not null and .href_url.domain.valid == true
     )
+    or any(body.links, strings.starts_with(.href_url.domain.domain, "xn--"))
   )
-  and not profile.by_sender().any_messages_benign
+
 tags:
   - "Attack surface reduction"
 attack_types: