From bd7e90c8265d1b9875d96c62f3f8b4e609d247ad Mon Sep 17 00:00:00 2001
From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
Date: Tue, 28 Jan 2025 15:22:02 -0800
Subject: [PATCH] Update impersonation_wise.yml

---
 detection-rules/impersonation_wise.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/detection-rules/impersonation_wise.yml b/detection-rules/impersonation_wise.yml
index 7779534b947..eb2b0bf7e8f 100644
--- a/detection-rules/impersonation_wise.yml
+++ b/detection-rules/impersonation_wise.yml
@@ -228,6 +228,11 @@ source: |
   )
   and sender.email.domain.root_domain not in~ ('wise.com', 'wise.jobs', 'splitwise.com', 'connectwise.com')
 
+  // negate messages sent via Google Groups
+  and not any(headers.hops,
+            .index == 0 and any(.fields, strings.icontains(.value, "googlegroups"))
+  )
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: