[PR #3408] modified rule: Brand Impersonation: SAP Concur

Author: github-actions[bot]

detection-rules/3408_brand_impersonation_concur.yml

@@ -11,16 +11,25 @@ source: |
   and (
     // Sender display name or domain contains Concur
     regex.icontains(sender.display_name, '\bconcur\b')
-    or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
-                            'concur'
-    ) <= 2
+    or (
+      strings.ilevenshtein(strings.replace_confusables(sender.display_name),
+                           'concur'
+      ) <= 2
+      and not sender.display_name =~ "connor"
+    )
     or strings.icontains(sender.email.domain.domain, 'concur')
     or strings.ilevenshtein(sender.email.domain.sld, 'concur') <= 2
+  // Or spoofing concursolutions.com but failing auth
   )
-
+  
   // Not from legitimate Concur domain with valid auth
   and not (
-    sender.email.domain.root_domain in~ ('concursolutions.com', 'concur.com', 'sap.com', 'concurcdc.cn')
+    sender.email.domain.root_domain in~ (
+      'concursolutions.com',
+      'concur.com',
+      'sap.com',
+      'concurcdc.cn'
+    )
     and headers.auth_summary.dmarc.pass
   )
 
@@ -38,4 +47,4 @@ detection_methods:
 id: "14785ff4-f4bf-583e-a280-81c0075cdb2e"
 og_id: "b1e6ebd8-3097-5adb-8d9e-c0e51e7baa95"
 testing_pr: 3408
-testing_sha: a050d83d1fcccc3270963616554e5115813e6397
+testing_sha: 0c2f77afbd531f9127ac824f266abb9dd62a57d1