[PR #3433] modified rule: Brand Impersonation: ShareFile

Author: github-actions[bot]

detection-rules/3433_impersonation_sharefile.yml

@@ -37,8 +37,9 @@ source: |
       0 < length(attachments) <= 5
       and (
         all(attachments, .file_type in $file_types_images)
-        // allow for one non-PDF attachment, which has been observed added as an evasion tactic
-        or ratio(attachments, .file_extension in ("pdf")) == 0.5
+        or (
+          length(filter(attachments, .file_type == "pdf")) == 1
+        )
       )
       and any(attachments,
               any(file.explode(.),
@@ -107,4 +108,4 @@ detection_methods:
 id: "52895b87-8a4f-5ac7-b378-1dbd708a20d9"
 og_id: "f8330307-67fe-5b49-b850-bfdc17955aea"
 testing_pr: 3433
-testing_sha: e29c2c082291a5502b2774e21472669538c6f030
+testing_sha: 9b1c944bc3d2921cdd3e7f3e9e21bb3eb2d54516