From c33fba2a1acdf34437542527b4e3c46deff4c68e Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Fri, 7 Feb 2025 09:12:38 -0800
Subject: [PATCH] Update
 credential_phishing_corporate_services_impersonation.yml (#2390)

---
 ..._services_impersonation_with_suspicious_link.yml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/detection-rules/credential_phishing_corporate_services_impersonation_with_suspicious_link.yml b/detection-rules/credential_phishing_corporate_services_impersonation_with_suspicious_link.yml
index 4290cf09c4d..a4cbb9dcd46 100644
--- a/detection-rules/credential_phishing_corporate_services_impersonation_with_suspicious_link.yml
+++ b/detection-rules/credential_phishing_corporate_services_impersonation_with_suspicious_link.yml
@@ -36,13 +36,20 @@ source: |
                               "HR (new|vue|view|tech admin|global)"
       )
     )
-    
+  
     // or assessment report language found in body
     or (
-        regex.icontains(body.current_thread.text, '20\d{2}(?:[[:punct:]](?:20)?\d{2})? (?:\w+ )?assessment report')
+      regex.icontains(body.current_thread.text,
+                      '20\d{2}(?:[[:punct:]](?:20)?\d{2})? (?:\w+ )?assessment report'
+      )
+    )
+  
+    // or HR department language found in body via NLU
+    or any(ml.nlu_classifier(body.current_thread.text).entities,
+           .name == "org" and regex.icontains(.text, '\bhr\b', 'human resources')
     )
   )
-    
+  
   // suspicious display_text
   and (
     any(body.links,