Update attachment_ics_meeting_invite.yml

MSAdministrator · web-flow · commit ba5f6d39f769 · 2026-01-23T17:10:32.000-06:00
diff --git a/detection-rules/attachment_ics_meeting_invite.yml b/detection-rules/attachment_ics_meeting_invite.yml
@@ -9,14 +9,8 @@ source: |
                  .file_extension in~ ('ics')
                  or .content_type in ("application/ics", "text/calendar")
           ),
-          (
-            regex.contains(.file_name, "meeting_[a-zA-Z]{5}")
-            or regex.contains(.file_name, "meeting_[a-zA-Z0-9]{5}")
-          )
-          and not (
-            regex.contains(.file_name, "meeting_invit[eation]")
-            or regex.contains(.file_name, "meeting_request")
-          )
+          regex.icontains(.file_name, 'meeting_[a-zA-Z0-9]{5}\.')
+          and not strings.contains(.file_name, "meeting_invite")
   )
 attack_types:
   - "BEC/Fraud"
