[PR #3402] modified rule: Vendor impersonation: Thread hijacking with typosquat domain

Author: github-actions[bot]

detection-rules/3402_vendor_impersonation_thread_hijack.yml

@@ -24,6 +24,15 @@ source: |
   and any(ml.nlu_classifier(body.current_thread.text).intents,
           .name == "bec" and .confidence != "low"
   )
+  // risky category
+  and any(ml.nlu_classifier(body.current_thread.text).topics,
+          .name in (
+            "Financial Communications",
+            "E-Signature",
+            "Benefit Enrollment"
+          )
+          and .confidence == "high"
+  )
   and 1 of (
     not network.whois(sender.email.domain).found,
     any(body.previous_threads, strings.icontains(.preamble, sender.display_name))
@@ -47,4 +56,4 @@ detection_methods:
 id: "2919da99-ceae-5d74-98cf-bb853d418415"
 og_id: "9c2f38ed-dfc3-5251-aaf1-3d35cf18369e"
 testing_pr: 3402
-testing_sha: 07fc37e7822dc96f7669096b6420842f8c9360b5
+testing_sha: be3a0abcd784d0e1db8e0d16d4804bf947ef47c1