Update keyword flags based on ngram analysis from hunt results

Should be final update before review ready. Updated keyword flags and took away requirement for sender to not be from a freemail domain (noticed FN where this was the case). Changes should also tune results to fit the scope of the rule.

Author: JFarina5

detection-rules/recon_hotel_booking_reply_to_redirect.yml

@@ -4,8 +4,10 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  and any(headers.reply_to, .email.domain.root_domain in $free_email_providers)
-  and sender.email.domain.root_domain not in $free_email_providers
+  and any(headers.reply_to,
+          .email.domain.root_domain in $free_email_providers
+          and .email.domain.root_domain != sender.email.domain.root_domain
+  )
   and all(recipients.to,
           .email.domain.root_domain != sender.email.domain.root_domain
   )
@@ -35,17 +37,21 @@ source: |
                         '*suite*',
                         '*availability*',
                         '*check-in*',
-                        '*pet friendly*'
+                        '*available dates*',
+                        '*family trip*',
+                        '*deluxe accommodation*',
+                        '*two children*',
+                        '*hotel manager*'
       )
     )
     or strings.ilike(subject.subject,
                      '*hotel*',
-                     '*booking*',
-                     '*reserv*',
-                     '*room*',
+                     '*hotel booking*',
+                     '*room reserv*',
+                     '*room inquiry*',
+                     '*room availability*',
                      '*suite*',
-                     '*accommodation*',
-                     '*property*'
+                     '*accommodation*'
     )
   )
 attack_types: