[PR #3808] modified rule: Attachment: Fake lawyer & sports agent identities

Author: github-actions[bot]

detection-rules/3808_attachment_fake_lawyer_sports_agent.yml

@@ -5,23 +5,7 @@ severity: "high"
 source: |
   type.inbound
   and length(attachments) == 1
-  and (
-    // Michael is a fake lawyer used in fc barcelona scam
-    // Gabriele & Valerio "Giuffrida" are sports agent
-    any([
-          "Michael Gerardus Hermanus Demon",
-          "Gabriele Giuffrida",
-          "Valerio Giuffrida"
-        ],
-        any(attachments,
-            strings.icontains(beta.parse_exif(.).creator, ..)
-            or strings.icontains(beta.ocr(.).text, ..)
-        )
-        or strings.icontains(body.current_thread.text, .)
-        or strings.icontains(body.current_thread.text, .)
-        or any(body.previous_threads, strings.icontains(.text, ..))
-    )
-  )
+  and beta.parse_exif(attachments[0]).creator == "Gabriele Giuffrida"
 attack_types:
   - "BEC/Fraud"
 tactics_and_techniques:
@@ -35,4 +19,4 @@ detection_methods:
 id: "d8cbbf7d-7230-524d-ac26-e97e6c4e06e8"
 og_id: "7d3a2478-a373-50d6-97bb-2dd1c3f710f7"
 testing_pr: 3808
-testing_sha: bcba077ea73deb74a13d883b328aa6ff26b31169
+testing_sha: c92cceb3cc01b9a0b0d4f7468a89414ab2e7d710