Update impersonation_docusign.yml

Author: zoomequipd

detection-rules/impersonation_docusign.yml

@@ -392,14 +392,13 @@ source: |
     )
   )
   
-  // negate highly trusted sender domains unless they fail DMARC authentication
-  and (
-    coalesce(sender.email.domain.root_domain in $high_trust_sender_root_domains
-             and not headers.auth_summary.dmarc.pass,
-             false
-    )
-    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+
+  // negate highly trusted sender domains if they pass DMARC authentication
+  and not (
+    sender.email.domain.root_domain in $high_trust_sender_root_domains
+    and coalesce(headers.auth_summary.dmarc.pass, false)
   )
+
   // negation for messages traversing docusign.net
   // happens with custom sender domains
   and not (