[PR #3326] modified rule: Brand impersonation: Aquent

github-actions[bot] · github-actions[bot] · commit 554dae40744d · 2025-09-30T23:54:36.000Z
diff --git a/detection-rules/3326_brand_impersonation_aquent.yml b/detection-rules/3326_brand_impersonation_aquent.yml
@@ -7,8 +7,7 @@ source: |
   and (
     strings.icontains(sender.display_name, 'Aquent')
     // look for Aquent address from footer, or current address being used by actors
-    or 3 of (
-      strings.icontains(sender.display_name, "Aquent"),
+    or 2 of (
       strings.icontains(body.current_thread.text, 'Aquent'),
       strings.icontains(body.current_thread.text, '2884 Sand Hill Road'),
       strings.icontains(body.current_thread.text, 'Menlo Park, CA 94025'),
@@ -47,4 +46,4 @@ detection_methods:
 id: "a23b8a50-bfad-5c49-8f53-13ba8c1402ae"
 og_id: "5074459c-d48e-5ff6-9a08-3da38c2963d9"
 testing_pr: 3326
-testing_sha: aebbc93aed56ac591439120d72a87bbe28b140fd
+testing_sha: 4d31db559a98883eede59b7e8189dbb164458008
