Update callback phishing via zoom comment rule

Added additional conditions to detect callback phishing related to host keys.

Author: IndiaAce

detection-rules/callback_phishing_zoom_comment.yml

@@ -19,6 +19,9 @@ source: |
                         "mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
                       )
   )
+  and any(ml.nlu_classifier(body.current_thread.text).intents,
+        .name == "callback_scam" and .confidence != "low"
+  )
   and 3 of (
     strings.ilike(body.current_thread.text, '*purchase*'),
     strings.ilike(body.current_thread.text, '*payment*'),
@@ -33,7 +36,8 @@ source: |
     strings.ilike(body.current_thread.text, '*call*'),
     strings.ilike(body.current_thread.text, '*cancel*'),
     strings.ilike(body.current_thread.text, '*renew*'),
-    strings.ilike(body.current_thread.text, '*refund*')
+    strings.ilike(body.current_thread.text, '*refund*'),
+    strings.ilike(body.current_thread.text, '*host key*')
   )
   // phone number regex
   and any([body.current_thread.text, subject.subject],