Update credential_phishing_esign_document_notification.yml (#3496)

IndiaAce · web-flow · commit 9d93c0dd2c88 · 2025-11-07T22:17:49.000Z
diff --git a/detection-rules/credential_phishing_esign_document_notification.yml b/detection-rules/credential_phishing_esign_document_notification.yml
@@ -243,15 +243,22 @@ source: |
       )
     )
   )
+  // the message is unsolicited and no false positives
   and (
     not profile.by_sender_email().solicited
     or profile.by_sender_email().prevalence == "new"
     or (
       profile.by_sender_email().any_messages_malicious_or_spam
       and not profile.by_sender_email().any_messages_benign
     )
+    or (
+      profile.by_sender_email().any_messages_malicious_or_spam
+      and profile.by_sender_email().any_messages_benign
+      and (
+        not headers.auth_summary.dmarc.pass or not headers.auth_summary.spf.pass
+      )
+    )
   )
-  and not profile.by_sender_email().any_messages_benign
   
   // negate replies/fowards containing legitimate docs
   and not (

Original file line number	Diff line number	Diff line change
`@@ -243,15 +243,22 @@ source: \|`
`243`	`243`	`)`
`244`	`244`	`)`
`245`	`245`	`)`
	`246`	`+ // the message is unsolicited and no false positives`
`246`	`247`	`and (`
`247`	`248`	`not profile.by_sender_email().solicited`
`248`	`249`	`or profile.by_sender_email().prevalence == "new"`
`249`	`250`	`or (`
`250`	`251`	`profile.by_sender_email().any_messages_malicious_or_spam`
`251`	`252`	`and not profile.by_sender_email().any_messages_benign`
`252`	`253`	`)`
	`254`	`+ or (`
	`255`	`+ profile.by_sender_email().any_messages_malicious_or_spam`
	`256`	`+ and profile.by_sender_email().any_messages_benign`
	`257`	`+ and (`
	`258`	`+ not headers.auth_summary.dmarc.pass or not headers.auth_summary.spf.pass`
	`259`	`+ )`
	`260`	`+ )`
`253`	`261`	`)`
`254`		`- and not profile.by_sender_email().any_messages_benign`
`255`	`262`
`256`	`263`	`// negate replies/fowards containing legitimate docs`
`257`	`264`	`and not (`