Update impersonation_paypal.yml (#3076)

Author: markmsublime

detection-rules/impersonation_paypal.yml

@@ -11,6 +11,7 @@ source: |
     strings.replace_confusables(sender.display_name) =~ "paypal"
     or strings.ilevenshtein(strings.replace_confusables(sender.display_name), 'paypal') <= 1
     or strings.ilike(strings.replace_confusables(sender.display_name), '*paypal*')
+    or strings.icontains(body.current_thread.text, "paypal billing team")
     or any(attachments,
            (.file_type in $file_types_images or .file_type == "pdf")
            and any(ml.logo_detect(.).brands, .name == "PayPal")