Update impersonation_recipient_domain.yml

morriscode · web-flow · commit cc487d104cc0 · 2023-09-18T16:47:11.000-04:00
Changing recipient domain to use mailbox.email.domain.root_domain to negate instances where the recipient is the sender, and delivery is accomplished via BCC's.
diff --git a/detection-rules/impersonation_recipient_domain.yml b/detection-rules/impersonation_recipient_domain.yml
@@ -15,8 +15,8 @@ source: |
           // custom domains only
           sender.email.domain.domain not in $free_email_providers
 
-          // recipient's domain is in the sender's display name
-          and strings.icontains(sender.display_name, .email.domain.root_domain)
+          // mailbox recipient's domain is in the sender's display name
+          and strings.icontains(sender.display_name, mailbox.email.domain.root_domain)
   )
   
   and not (

Original file line number	Diff line number	Diff line change
`@@ -15,8 +15,8 @@ source: \|`
`15`	`15`	`// custom domains only`
`16`	`16`	`sender.email.domain.domain not in $free_email_providers`
`17`	`17`
`18`		`- // recipient's domain is in the sender's display name`
`19`		`- and strings.icontains(sender.display_name, .email.domain.root_domain)`
	`18`	`+ // mailbox recipient's domain is in the sender's display name`
	`19`	`+ and strings.icontains(sender.display_name, mailbox.email.domain.root_domain)`
`20`	`20`	`)`
`21`	`21`
`22`	`22`	`and not (`