[PR #3428] modified rule: Attachment: Credit card application with WhatsApp contact

github-actions[bot] · github-actions[bot] · commit e70cc7745933 · 2025-10-24T13:06:44.000Z
diff --git a/detection-rules/3428_attachment_creditcard_application_with_whatsapp.yml b/detection-rules/3428_attachment_creditcard_application_with_whatsapp.yml
@@ -6,14 +6,16 @@ source: |
   type.inbound
   // promotional/advertising content targeting financial services
   and (
-    regex.icontains(body.current_thread.text,
-                    "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free|special offer"
+    (
+      regex.icontains(body.current_thread.text,
+                      "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free|special offer"
+      )
+      or regex.icontains(subject.subject,
+                         "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free"
+      )
     )
-    or regex.icontains(subject.subject,
-                       "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free"
-    )
-    or any(ml.nlu_classifier(body.current_thread.text).topics,
-           .name in ("Advertising and Promotions")
+    and any(ml.nlu_classifier(body.current_thread.text).topics,
+            .name in ("Advertising and Promotions")
     )
   )
   // PII harvesting template in attachments (3+ of these patterns)
@@ -58,4 +60,4 @@ detection_methods:
 id: "aaeb35de-1b50-5222-ae9d-6b2fd167bb8a"
 og_id: "95b08315-93a6-5005-8f38-ff597eb9f947"
 testing_pr: 3428
-testing_sha: 75d66d2a1b9c365689b718a9e47a80d99a87e3ce
+testing_sha: 79dd37c5beb7e485381d04c96a029cd822d90959
