Sync from PR#2246

Create attachment_html_excessive_const_declarations.yml by @morriscode #2246 Source SHA 9aee66b Triggered by @morriscode
sublime-security · Jan 2, 2025 · eb78681 · eb78681
1 parent ff19b2d
commit eb78681
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/detection-rules/attachment_html_excessive_const_declarations.yml b/detection-rules/attachment_html_excessive_const_declarations.yml
@@ -15,6 +15,15 @@ source: |
           )
           and length(file.parse_html(.).raw) < 50000
   )
+
+  // and the sender is not from high trust sender root domains
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
 attack_types:
   - "Malware/Ransomware"
   - "Credential Phishing"
@@ -28,4 +37,4 @@ detection_methods:
   - "Content analysis"
 id: "66f8a07a-5f0f-5a99-976c-a81d2de8b406"
 testing_pr: 2246
-testing_sha: 608436f4ebf35dc63cc8bd353a1847be86e1904b
+testing_sha: 9aee66b23cacb41cc60ebf7317ad4fb604052e75