Update vip_impersonation_subject.yml (#3078)

Author: morriscode

detection-rules/vip_impersonation_subject.yml

@@ -1,12 +1,12 @@
 name: "VIP / Executive impersonation in subject (untrusted)"
 description: |
   Sender subject contains the display name of a user in the $org_vips list, and the sender has never been seen before.
-
+  
   The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work.
   Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list
-
+  
   This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender.
-
+  
   Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.
 type: "rule"
 severity: "medium"
@@ -18,13 +18,15 @@ source: |
   )
   // not being sent to said VIP
   and not (
-    length(recipients.to) == 1
-    and all(recipients.to,
-            any($org_vips,
-                .email == ..email.email
-                and strings.contains(subject.subject, .display_name)
-                and strings.contains(.display_name, " ")
-            )
+    (
+      length(recipients.to) == 1
+      and all(recipients.to,
+              any($org_vips,
+                  .email == ..email.email
+                  and strings.contains(subject.subject, .display_name)
+                  and strings.contains(.display_name, " ")
+              )
+      )
     )
   )
   and (