[PR #3023] modified rule: Brand impersonation: Twitter

github-actions[bot] · github-actions[bot] · commit 2b717e9867e4 · 2025-08-14T21:47:55.000Z
diff --git a/detection-rules/3023_impersonation_twitter.yml b/detection-rules/3023_impersonation_twitter.yml
@@ -17,15 +17,16 @@ source: |
     // "X" logic
     or (
       (
-        2 of (
-          regex.icontains(sender.display_name, '\bX\b'),
+        3 of (
           strings.iends_with(sender.email.domain.root_domain, "-x.com"),
+          any(body.links, strings.iends_with(.href_url.domain.root_domain, "-x.com")),
           strings.ilike(body.current_thread.text,
                         "*content dispute*",
                         "*copyright*",
                         "*appeal*"
           ),
-          strings.contains(body.current_thread.text, '1355 Market Street')
+          strings.contains(body.current_thread.text, '1355 Market Street'),
+          strings.ilike(body.current_thread.text, '*865 FM 1209*bastrop*')
         )
         or (
           any(ml.logo_detect(beta.message_screenshot()).brands,
@@ -76,4 +77,4 @@ detection_methods:
 id: "2d4a1e87-3f31-5f5f-8700-7c2bbed30a40"
 og_id: "013c32c2-fa05-5456-9c45-284e008ff6a4"
 testing_pr: 3023
-testing_sha: 958a80aa7b4adaf4dff5d38a2ca9a49bbd6d891a
+testing_sha: 8383563af78f4494c10e3c8016699c54a9306448
