Update impersonation_twitter.yml (#3023)

aidenmitchell · web-flow · commit 130d897f9e6f · 2025-08-15T09:02:10.000Z
diff --git a/detection-rules/impersonation_twitter.yml b/detection-rules/impersonation_twitter.yml
@@ -16,15 +16,30 @@ source: |
     )
     // "X" logic
     or (
-      any(ml.logo_detect(beta.message_screenshot()).brands,
-          .name == "X" and .confidence == "high"
-      )
-      and (
-        any(ml.nlu_classifier(body.current_thread.text).intents,
-            .name == "cred_theft" and .confidence == "high"
+      (
+        3 of (
+          strings.iends_with(sender.email.domain.root_domain, "-x.com"),
+          any(body.links, strings.iends_with(.href_url.domain.root_domain, "-x.com")),
+          strings.ilike(body.current_thread.text,
+                        "*content dispute*",
+                        "*copyright*",
+                        "*appeal*"
+          ),
+          strings.contains(body.current_thread.text, '1355 Market Street'),
+          strings.ilike(body.current_thread.text, '*865 FM 1209*bastrop*')
         )
-        or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
-            .name == "cred_theft" and .confidence == "high"
+        or (
+          any(ml.logo_detect(beta.message_screenshot()).brands,
+              .name == "X" and .confidence == "high"
+          )
+          and (
+            any(ml.nlu_classifier(body.current_thread.text).intents,
+                .name == "cred_theft" and .confidence == "high"
+            )
+            or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
+                   .name == "cred_theft" and .confidence == "high"
+            )
+          )
         )
       )
       and any(beta.ml_topic(body.current_thread.text).topics,
