Update link_new_domain_in_link_first_time_sender.yml

zoomequipd · web-flow · commit 07a1214f4912 · 2026-02-03T11:44:36.000-06:00
diff --git a/detection-rules/link_new_domain_in_link_first_time_sender.yml b/detection-rules/link_new_domain_in_link_first_time_sender.yml
@@ -4,17 +4,21 @@ description: |
 type: "rule"
 severity: "medium"
 source: |
-  type.inbound
-  and length(body.links) > 0
-  and any(body.links, network.whois(.href_url.domain).days_old <= 10)
-  and (
-    (
-      profile.by_sender().prevalence in ("new", "outlier")
-      and not profile.by_sender().solicited
-    )
-    or profile.by_sender().any_messages_malicious_or_spam
+type.inbound
+and length(body.links) > 0
+and any(body.links, network.whois(.href_url.domain).days_old <= 10)
+and (
+  (
+    profile.by_sender().prevalence in ("new", "outlier")
+    and not profile.by_sender().solicited
   )
-  and not profile.by_sender().any_messages_benign
+  or profile.by_sender().any_messages_malicious_or_spam
+)
+// negate senders which have had previous messages marked as benign which pass auth
+and not (
+    profile.by_sender().any_messages_benign
+    and profile.by_sender().auth_failed == false
+)
 tags:
   - "Attack surface reduction"
 attack_types:
