[PR #3443] modified rule: Service abuse: Facebook business with action required subject

github-actions[bot] · github-actions[bot] · commit 7793228bac2a · 2025-10-30T16:20:22.000Z
diff --git a/detection-rules/3443_service_abuse_meta_business.yml b/detection-rules/3443_service_abuse_meta_business.yml
@@ -3,7 +3,8 @@ description: "Detects messages from the Facebook business domain containing 'act
 type: "rule"
 severity: "medium"
 source: |
-  strings.icontains(subject.subject, "action required")
+  type.inbound
+  and strings.icontains(subject.subject, "action required")
   and sender.email.email == "noreply@business.facebook.com"
 tags:
  - "Attack surface reduction"
@@ -18,4 +19,4 @@ detection_methods:
 id: "eda7e455-3904-5c92-b7ee-907783230093"
 og_id: "64297d2f-a5bd-5336-8db7-ec00df59411f"
 testing_pr: 3443
-testing_sha: 3ed229ec0380d9a6703c10455b5a15c045ad7aa5
+testing_sha: ff48e10c093edfd7dcb261bd6686551d52d940e9
