[PR #3487] modified rule: Brand impersonation: Greenvelope

Author: github-actions[bot]

detection-rules/3487_brand_impersonation_greenvelope.yml

@@ -46,6 +46,13 @@ source: |
     )
   )
   
+  // avoid fwd/replies
+  and not (
+    (subject.is_forward or subject.is_reply)
+    and (length(headers.references) != 0 or headers.in_reply_to is not null)
+    and length(body.previous_threads) > 0
+  )
+  
   // Capping length to limit FP's
   and length(body.current_thread.text) < 1500
 attack_types:
@@ -59,4 +66,4 @@ detection_methods:
 id: "07bf6342-6504-5dc2-b2d7-9a84556fd9d5"
 og_id: "9cbbf9b8-a44a-5d86-8caa-3aef898841c1"
 testing_pr: 3487
-testing_sha: 3d5f974244663df2dfc5f9bf6a2d6c76f5204ef5
+testing_sha: f690e7e062cc3b76d4d1abd3fb8725d0ee534e0b