[Test Rules] [PR #3984] modified rule: Brand impersonation: DocuSign

Author: github-actions[bot]

detection-rules/3984_impersonation_docusign.yml

@@ -309,7 +309,7 @@ source: |
   and (
     any(
         // filter links that match docusign wording
-        filter(body.links,
+        filter(body.current_thread.links,
                // we've observed invisible characters in the display name
                // such as U+034F: "Revi\x{034F}ew Now"
                (
@@ -337,7 +337,7 @@ source: |
                  or strings.icontains(.display_text, "Review on Docusign")
                  or (
                    strings.icontains(.display_text, "Sign")
-                   and regex.icontains(.display_text, '(?:in|now)')
+                   and regex.icontains(.display_text, '(?:in\b|now)')
                  )
                )
         ),
@@ -430,4 +430,4 @@ detection_methods:
 id: "d4941591-f1a3-58d5-be61-2a093f9b7453"
 og_id: "4d29235c-08b9-5f9b-950e-60b05c4691fb"
 testing_pr: 3984
-testing_sha: d2ed2963f768b67d7e8bbf01eb9b2555259e890b
+testing_sha: ab20ddde3269908639206e170aab3b4842f09ce6