[PR #3050] modified rule: Brand Impersonation: Salesforce

github-actions[bot] · github-actions[bot] · commit 39000c777895 · 2025-08-05T18:22:48.000Z
diff --git a/detection-rules/3050_brand_impersonation_salesforce.yml b/detection-rules/3050_brand_impersonation_salesforce.yml
@@ -13,11 +13,16 @@ source: |
   and not (
     (
       // legitimate domains
-      sender.email.domain.root_domain in (
-        "salesforce.com",
-        "salesforceventures.com",
-        "tangocard.com", //https://www.tangocard.com/salesforce-partnership
-        "elevatesalesforce.com" // unrelated but name in domain 
+      (
+        sender.email.domain.root_domain in (
+          "salesforce.com",
+          "salesforceventures.com",
+          "tangocard.com", // https://www.tangocard.com/salesforce-partnership
+          "elevatesalesforce.com", // unrelated but name in domain 
+          "salesforceben.com", // salesforce newsletter
+          "connectwithsal.com" // levenshtein 
+        )
+        or sender.email.domain.domain in ("salesforce.rxsavingssolutions.com") // unrelated but legit domain 
       )
       and headers.auth_summary.dmarc.pass
     )
@@ -59,4 +64,4 @@ detection_methods:
 id: "c5f0e666-81f0-5d17-a470-12ab75113631"
 og_id: "736dfb87-1f99-5cdb-aefc-392257376f3d"
 testing_pr: 3050
-testing_sha: 75ff228fd19d964d7633fd94026c146efec4de3f
+testing_sha: 4ab18f108393f5bc666bcede56c727bfe331192c
