[PR #3027] modified rule: Link: Multiple HTTP protocols in single URL

Author: github-actions[bot]

detection-rules/3027_link_multiple_http_protocols_in_single_url.yml

@@ -8,6 +8,8 @@ source: |
   and any(body.current_thread.links,
           .visible
           // no ability to loop query_params_decoded, so create the non-decoded equivlent 
+          and not strings.icontains(.href_url.url, 'unsubscribe')
+          and not strings.icontains(.display_text, 'unsubscribe')
           and any(regex.extract(.href_url.query_params,
                                 '[?&](?P<name>[^=&]+)(?:=(?P<value>[^&]*))?'
                   ),
@@ -16,7 +18,7 @@ source: |
                   regex.contains(.named_groups['value'],
                                  '^(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)'
                   )
-                  // the number of unique domains in the URL query param is greater or equal to 2
+                  // the number of unique domains in the URL query param is greater or equal to three
                   and length(distinct(map(filter(regex.iextract(.named_groups['value'],
                                                          '(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)(?P<domain>[^/\s&%]+)'
                                           ),
@@ -32,7 +34,7 @@ source: |
                              ), .)
                   ) >= 3
   
-                  // there are five or more total URLs in that query param
+                  // there are three or more total URLs in that query param
                   and regex.count(.named_groups['value'],
                                   '(?:https?(?:%253[Aa]|%3[Aa]|:))?(?:%252[Ff]|%2[Ff]|/)(?:%252[Ff]|%2[Ff]|/)'
                   ) >= 3
@@ -52,4 +54,4 @@ detection_methods:
 id: "dea82f37-8cfd-5233-9deb-bc436aba8182"
 og_id: "92f9d241-ebd2-53b8-9c67-6f9ec3e263b8"
 testing_pr: 3027
-testing_sha: c54242faa3be72f6990dc70be2dba12603690f97
+testing_sha: 908c8e4b153d3186056418f2295bf2e2e62fd89e