[PR #3050] modified rule: Brand Impersonation: Salesforce

github-actions[bot] · github-actions[bot] · commit 72fb345e5d52 · 2025-08-07T01:24:13.000Z
diff --git a/detection-rules/3050_brand_impersonation_salesforce.yml b/detection-rules/3050_brand_impersonation_salesforce.yml
@@ -21,7 +21,12 @@ source: |
           "elevatesalesforce.com", // unrelated but name in domain 
           "salesforceben.com", // salesforce newsletter
           "connectwithsal.com", // levenshtein 
-          "smartsheet.com" // used by salesforce
+          "smartsheet.com", // used by salesforce
+          "hic-salesforce.com", // third party salesforce partner
+          "aspiresalesforceconsultancy.net", // third party salesforce partner
+          "kestoneglobal.biz", // third party 
+          "salesforceeurope.com", // outsourced salesforce staffing
+          "salesforcerecruiter.com" // outsourced salesforce staffing
         )
         or sender.email.domain.domain in ("salesforce.rxsavingssolutions.com") // unrelated but legit domain 
       )
@@ -34,8 +39,8 @@ source: |
         or regex.icontains(subject.subject, "(training|bootcamp)")
       )
       and headers.auth_summary.dmarc.pass
-    )
-    // email from own domain with salesforce notification
+   )
+  //  email from own domain with salesforce notification
     or (
       sender.email.domain.root_domain in $org_domains
       and not headers.auth_summary.dmarc.pass
@@ -65,4 +70,4 @@ detection_methods:
 id: "c5f0e666-81f0-5d17-a470-12ab75113631"
 og_id: "736dfb87-1f99-5cdb-aefc-392257376f3d"
 testing_pr: 3050
-testing_sha: ac8c7a84e5ee302772c0619c2a69201a99b15ad2
+testing_sha: 74f6f20e9fc90e4e0f69ceba192f60d02adbbd1e
