Update detection-rules/predatory_academic_journal.yml

peterdj45 · IndiaAce · web-flow · commit 85fb2df2ca3a · 2025-10-06T10:14:18.000-07:00
Co-authored-by: Luke Wescott &lt;69780712+IndiaAce@users.noreply.github.com&gt;
diff --git a/detection-rules/predatory_academic_journal.yml b/detection-rules/predatory_academic_journal.yml
@@ -141,11 +141,13 @@ source: |
     any(body.links, regex.imatch(.href_url.path, '^/ey[a-z]/.{2,}$'))
   )
   
-  // don't match microsoft quarantine messages
+  // negate microsoft quarantine messages
   and not (
     any(body.links,
-        strings.icontains(.display_text, "Review Message")
-        or strings.icontains(.display_text, "Passer en revue le message")
+        (
+          strings.icontains(.display_text, "Review Message")
+          or strings.icontains(.display_text, "Passer en revue le message")
+        )
         and (
           .href_url.domain.domain == "security.microsoft.com"
           and .href_url.path == "/quarantine"
