From decc15bf08cf61fe1ae4095b3d241409de6b1e7f Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Wed, 11 Dec 2024 08:43:48 -0600
Subject: [PATCH] Update link_sharepoint_attached_eml.yml

---
 detection-rules/link_sharepoint_attached_eml.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/detection-rules/link_sharepoint_attached_eml.yml b/detection-rules/link_sharepoint_attached_eml.yml
index 402d96e81c8..c660971e199 100644
--- a/detection-rules/link_sharepoint_attached_eml.yml
+++ b/detection-rules/link_sharepoint_attached_eml.yml
@@ -105,6 +105,12 @@ source: |
               and all(recipients.to,
                       .email.email == file.parse_eml(..).sender.email.email
               )
+            ),
+            
+            // the attached message contains a very low number of hops, as if it was never sent
+            (
+              length(file.parse_eml(.).headers.hops) <= 2
+              or file.parse_eml(.).headers.return_path.email is null
             )
           )
   )