[PR #3661] modified rule: Attachment: PDF with banking and payment references from freemail sender

github-actions[bot] · github-actions[bot] · commit 9040f953f2dd · 2026-01-12T15:34:14.000Z
diff --git a/detection-rules/3661_attachment_pdf_file_banking_payment_from_freemail.yml b/detection-rules/3661_attachment_pdf_file_banking_payment_from_freemail.yml
@@ -30,7 +30,10 @@ source: |
                     '\b((?:C(?:hairman|[EFO]O)|President|Director|[ES]?VP))\b'
     )
     // Or looks like: firstname.lastname.company@freemail
-    or regex.count(sender.email.local_part, '\.') == 2
+    or (
+        regex.count(sender.email.local_part, '\.') == 2
+        and regex.contains(sender.email.local_part, '\.([a-z]{2,})\.')
+      )
     // or any defined org brands like: first.last.sublime@freemail
     or any($org_slds, strings.icontains(sender.email.local_part, .))
     or any($org_brand_names, strings.icontains(sender.email.local_part, .))
@@ -58,9 +61,6 @@ source: |
   
   // Free email provider (including Proton)
   and sender.email.domain.root_domain in $free_email_providers
-  
-  // Unsolicited
-  and not profile.by_sender().solicited
 
 attack_types:
   - "BEC/Fraud"
@@ -75,4 +75,4 @@ detection_methods:
 id: "054acfa2-ba42-54d0-ba6e-ce562db7fd56"
 og_id: "3d46be24-a640-515d-bae9-480effa2b5c8"
 testing_pr: 3661
-testing_sha: d0c27a5fbbede3f46cf6a2eaa90b8ee425d3944a
+testing_sha: d2fd2c1a9735a82dc9bca1648395236273a5b62f
