[PR #3457] modified rule: Brand impersonation: Paperless Post

github-actions[bot] · github-actions[bot] · commit 1935d8416e1e · 2025-11-05T02:13:26.000Z
diff --git a/detection-rules/3457_brand_impersonation_paperlesspost.yml b/detection-rules/3457_brand_impersonation_paperlesspost.yml
@@ -12,8 +12,12 @@ source: |
   ) >= 2
   and length(filter(body.links,
                     .href_url.domain.domain == "links.paperlesspost.com"
+                    or (
+                      .href_url.domain.root_domain == "paperlesspost.com"
+                      and strings.istarts_with(.href_url.path, '/go/')
+                    )
              )
-  ) < 3
+  ) < 2
   and not (
     (subject.is_forward or subject.is_reply)
     and (length(headers.references) != 0 or headers.in_reply_to is not null)
@@ -23,7 +27,6 @@ source: |
     sender.email.domain.root_domain == "paperlesspost.com"
     and headers.auth_summary.dmarc.pass
   )
-
 attack_types:
   - "Credential Phishing"
   - "Malware/Ransomware"
@@ -38,4 +41,4 @@ detection_methods:
 id: "bc42e605-e209-565f-aa99-de14bf398910"
 og_id: "e9ec5e09-e50f-5d02-ad14-35a1a1442960"
 testing_pr: 3457
-testing_sha: e3fec67c8215b08a3dd27147b29f0ffda2d04c0d
+testing_sha: 781e64c32d8a4795ef65255b70858f7b5e817af9
