From a224608b0e032f597863169bb309bb1babc75137 Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Fri, 3 Oct 2025 17:54:12 -0700 Subject: [PATCH 1/2] Update predatory_academic_journal.yml --- detection-rules/predatory_academic_journal.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/detection-rules/predatory_academic_journal.yml b/detection-rules/predatory_academic_journal.yml index 8209b82d095..155a47ab772 100644 --- a/detection-rules/predatory_academic_journal.yml +++ b/detection-rules/predatory_academic_journal.yml @@ -140,6 +140,18 @@ source: | // known patterns any(body.links, regex.imatch(.href_url.path, '^/ey[a-z]/.{2,}$')) ) + + // don't match microsoft quarantine messages + and not ( + any(body.links, + strings.icontains(.display_text, "Review Message") + or strings.icontains(.display_text, "Passer en revue le message") + and ( + .href_url.domain.domain == "security.microsoft.com" + and .href_url.path == "/quarantine" + ) + ) + ) attack_types: - "BEC/Fraud" From 85fb2df2ca3ac8657875c2b39a7fc79b4e25cb13 Mon Sep 17 00:00:00 2001 From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com> Date: Mon, 6 Oct 2025 10:14:18 -0700 Subject: [PATCH 2/2] Update detection-rules/predatory_academic_journal.yml Co-authored-by: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> --- detection-rules/predatory_academic_journal.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/detection-rules/predatory_academic_journal.yml b/detection-rules/predatory_academic_journal.yml index 155a47ab772..abaa1b9ca18 100644 --- a/detection-rules/predatory_academic_journal.yml +++ b/detection-rules/predatory_academic_journal.yml @@ -141,11 +141,13 @@ source: | any(body.links, regex.imatch(.href_url.path, '^/ey[a-z]/.{2,}$')) ) - // don't match microsoft quarantine messages + // negate microsoft quarantine messages and not ( any(body.links, - strings.icontains(.display_text, "Review Message") - or strings.icontains(.display_text, "Passer en revue le message") + ( + strings.icontains(.display_text, "Review Message") + or strings.icontains(.display_text, "Passer en revue le message") + ) and ( .href_url.domain.domain == "security.microsoft.com" and .href_url.path == "/quarantine"