From 4da08ccabe5850fbe608570c6e05ecbf12291333 Mon Sep 17 00:00:00 2001
From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com>
Date: Wed, 20 May 2026 18:24:36 -0500
Subject: [PATCH 1/2] Update phishing_simulation_knowbe4.yml

---
 .../headers/phishing_simulation_knowbe4.yml    | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/insights/headers/phishing_simulation_knowbe4.yml b/insights/headers/phishing_simulation_knowbe4.yml
index 6f581178694..46d98837970 100644
--- a/insights/headers/phishing_simulation_knowbe4.yml
+++ b/insights/headers/phishing_simulation_knowbe4.yml
@@ -13,11 +13,19 @@ source: |
     or (
       length(headers.ips) == 0
       and length(headers.hops) == 1
-      and any(headers.hops, any(.fields, .name == "X-PHISHTEST"))
-      and headers.return_path.domain.root_domain == "knowbe4.com"
-      and not sender.email.domain.root_domain == "knowbe4.com"
-      and any(headers.hops,
-              any(.fields, strings.icontains(.value, "injector.psm.knowbe4.com"))
+      and any(headers.hops, any(.fields, strings.starts_with(.name, "X-PHISH")))
+      and (
+        (
+          headers.return_path.domain.root_domain == "knowbe4.com"
+          and any(headers.hops,
+                  any(.fields,
+                      strings.icontains(.value, "injector.psm.knowbe4.com")
+                  )
+          )
+        )
+        or any(headers.hops,
+              any(.fields, strings.icontains(.value, "gmailapi.google.com"))
+        )
       )
     )
   )

From cd2b39958119ebbc30d7a979e351b4d3e7a0830d Mon Sep 17 00:00:00 2001
From: Josh Rickard <10687261+MSAdministrator@users.noreply.github.com>
Date: Wed, 20 May 2026 18:33:29 -0500
Subject: [PATCH 2/2] Update phishing_simulation_knowbe4.yml

---
 insights/headers/phishing_simulation_knowbe4.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/insights/headers/phishing_simulation_knowbe4.yml b/insights/headers/phishing_simulation_knowbe4.yml
index 46d98837970..12b8516779c 100644
--- a/insights/headers/phishing_simulation_knowbe4.yml
+++ b/insights/headers/phishing_simulation_knowbe4.yml
@@ -24,7 +24,7 @@ source: |
           )
         )
         or any(headers.hops,
-              any(.fields, strings.icontains(.value, "gmailapi.google.com"))
+               any(.fields, strings.icontains(.value, "gmailapi.google.com"))
         )
       )
     )