Update link_sharepoint_attached_eml.yml

sublime-security · Dec 11, 2024 · decc15b · decc15b
1 parent bade6cf
commit decc15b
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/detection-rules/link_sharepoint_attached_eml.yml b/detection-rules/link_sharepoint_attached_eml.yml
@@ -105,6 +105,12 @@ source: |
               and all(recipients.to,
                       .email.email == file.parse_eml(..).sender.email.email
               )
+            ),
+            
+            // the attached message contains a very low number of hops, as if it was never sent
+            (
+              length(file.parse_eml(.).headers.hops) <= 2
+              or file.parse_eml(.).headers.return_path.email is null
             )
           )
   )