[PR #3374] modified rule: Link: GoPhish default rid value

github-actions[bot] · github-actions[bot] · commit 92aaede0eac1 · 2025-10-08T14:21:25.000Z
diff --git a/detection-rules/3374_link_gophish_rid.yml b/detection-rules/3374_link_gophish_rid.yml
@@ -7,8 +7,10 @@ source: |
   // few body links
   and length(body.links) < 50
   and any(body.links,
+          // not a common marketing url rewriter
+          not .href_url.domain.root_domain == "vtiger.com"
           // the rid value present
-          length(.href_url.query_params_decoded["rid"]) == 1
+          and length(.href_url.query_params_decoded["rid"]) == 1
           // the RID value is 7 bytes
           and length(.href_url.query_params_decoded["rid"][0]) == 7
           // contains letters and numbers
@@ -20,7 +22,6 @@ source: |
                            '^[0-9]{7}$'
           )
   )
-
 attack_types:
   - "Credential Phishing"
   - "Malware/Ransomware"
@@ -31,4 +32,4 @@ detection_methods:
 id: "5d7e1718-37ee-5fb4-96f2-8587d1a893bd"
 og_id: "6d2b9c8a-ec51-562c-88f5-58605b1e5a6e"
 testing_pr: 3374
-testing_sha: fe28bca1ca1ace63d4d9ea8d5ab31e149e4656b4
+testing_sha: 00b054a8c66493d803b4bfca9590066b9d43cdf0
