convert to subject.base /subject.is_reply/subject.is_forward (#3470)

Author: zoomequipd

detection-rules/body_job_scam_freemail_pivot.yml

@@ -14,10 +14,7 @@ source: |
     or 
 
     // HTML is not null but fake thread
-    (
-      strings.istarts_with(subject.subject, "RE:")
-      or strings.istarts_with(subject.subject, "FWD:")
-    )
+    (subject.is_reply or subject.is_forward)
     and (
       (length(headers.references) == 0 and headers.in_reply_to is null)
       or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))

detection-rules/impersonation_google_groups_suspicious.yml

@@ -44,7 +44,7 @@ source: |
 
     // fake thread
     (
-      regex.imatch(subject.subject, "(re|fw(d)?):.*")
+      (subject.is_forward or subject.is_reply)
       and (
         (length(headers.references) == 0 and headers.in_reply_to is null)
         or not any(headers.hops,

detection-rules/link_fake_thread_nlu_financial_request.yml

@@ -7,10 +7,7 @@ source: |
   and length(body.links) < 10
 
   // fake thread check
-  and (
-    strings.istarts_with(subject.subject, "RE:")
-    or strings.istarts_with(subject.subject, "FWD:")
-  )
+  and (subject.is_reply or subject.is_forward)
 
   // Check for the Presence of References or In-Reply-To properties
   and (

detection-rules/spam_google_group_explict_invite.yml

@@ -9,11 +9,11 @@ source: |
   // 
   and sender.email.email == "noreply@groups.google.com"
   and (
-    strings.istarts_with(subject.subject, 'Invitation to join ')
-    or strings.istarts_with(subject.subject, 'You have been added to ')
+    strings.istarts_with(subject.base, 'Invitation to join ')
+    or strings.istarts_with(subject.base, 'You have been added to ')
     // the group name contains sexually explicit keywords
     // this regex should be kept in sync between the Google Group, Google Drive Share, and Looker Studio rules
-    or regex.icontains(subject.subject,
+    or regex.icontains(subject.base,
                        '(?:Invitation to join|You have been added to) .*(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|\blust\b|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'
     )
   )
@@ -31,15 +31,15 @@ source: |
   )
   and (
     // the group name contains 7 char sets at the start and end and must contain a number
-    regex.icontains(subject.subject,
+    regex.icontains(subject.base,
                     '(?:added to|to join) [A-Z0-9]{5,7} .*(?:[[:^ascii:]]|[[:^alpha:]]) [A-Z0-9]{5,7}$'
     )
     // calls to action in the group name
-    or regex.icontains(subject.subject,
+    or regex.icontains(subject.base,
                        '(?:added to|to join) .*(join|(?:click|go|tap) here)'
     )
     // it contains an emoji in the group name
-    or regex.icontains(subject.subject,
+    or regex.icontains(subject.base,
                        '(?:added to|to join) .*[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
     )
     // the description of the group contains sexually explicit keywords

detection-rules/vip_impersonation_charity.yml

@@ -4,7 +4,12 @@ type: "rule"
 severity: "high"
 source: |
   type.inbound
-  and strings.ilike(body.current_thread.text, "*charity*", "*gala*", "*donation*", "*donor*")
+  and strings.ilike(body.current_thread.text,
+                    "*charity*",
+                    "*gala*",
+                    "*donation*",
+                    "*donor*"
+  )
   and any(ml.nlu_classifier(body.current_thread.text).entities,
           .name == "financial"
   )
@@ -17,11 +22,7 @@ source: |
   )
   and (
     (
-      (
-        strings.istarts_with(subject.subject, "RE:")
-        or strings.istarts_with(subject.subject, "FW:")
-        or strings.istarts_with(subject.subject, "FWD:")
-      )
+      (subject.is_forward or subject.is_reply)
       and (
         (length(headers.references) == 0 and headers.in_reply_to is null)
         or not any(headers.hops,
@@ -32,17 +33,15 @@ source: |
     // fake thread, but no indication in the subject line
     // current_thread pulls the recent thread, but the full body contains the fake "original" email
     or (
-      not (
-        (
-          strings.istarts_with(subject.subject, "RE:")
-          or strings.istarts_with(subject.subject, "FWD:")
+      not ((subject.is_forward or subject.is_reply))
+      and (
+        3 of (
+          strings.icontains(body.html.display_text, "from:"),
+          strings.icontains(body.html.display_text, "to:"),
+          strings.icontains(body.html.display_text, "sent:"),
+          strings.icontains(body.html.display_text, "subject:")
         )
-      )
-      and 3 of (
-        strings.icontains(body.html.display_text, "from:"),
-        strings.icontains(body.html.display_text, "to:"),
-        strings.icontains(body.html.display_text, "sent:"),
-        strings.icontains(body.html.display_text, "subject:")
+        or length(body.previous_threads) > 0
       )
       and (
         length(body.current_thread.text) + 100 < length(body.html.display_text)