From bebcc1fb1154e88b262b9bc42d90388ecc18a067 Mon Sep 17 00:00:00 2001
From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
Date: Fri, 22 May 2026 10:38:52 -0700
Subject: [PATCH] Modify self-sender rule to detect suspicious links

Updated the rule to focus on suspicious links instead of copy/paste instructions.
---
 ...r_french_copypaste_instructions_suspicious_domains.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/detection-rules/self_sender_french_copypaste_instructions_suspicious_domains.yml b/detection-rules/self_sender_french_copypaste_instructions_suspicious_domains.yml
index a2c3f0979d8..8cbdec00e94 100644
--- a/detection-rules/self_sender_french_copypaste_instructions_suspicious_domains.yml
+++ b/detection-rules/self_sender_french_copypaste_instructions_suspicious_domains.yml
@@ -1,9 +1,11 @@
-name: "Self-sender with copy/paste instructions and suspicious domains (French/Français)"
+name: "Self-sender with suspicious links (French/Français)"
 description: "Detects messages where the sender emails themselves with French text containing 'copier' (copy) and 'coller' (paste) instructions, along with suspicious domains like pages.dev or web.app. The subject line contains both the sender's email and display name, which are different values."
 type: "rule"
 severity: "medium"
 source: |
   type.inbound
+  // message is in French
+  and ml.nlu_classifier(body.current_thread.text).language == 'french'
   // self sender
   and (
     length(recipients.to) == 1
@@ -13,10 +15,6 @@ source: |
   and strings.icontains(subject.subject, sender.email.email)
   and strings.icontains(subject.subject, sender.display_name)
   and sender.email.email != sender.display_name
-  // copy
-  and strings.icontains(body.current_thread.text, 'copier')
-  // paste
-  and strings.icontains(body.current_thread.text, 'coller')
   and (
     strings.contains(body.current_thread.text, '.pages.dev')
     or strings.contains(body.current_thread.text, '.web.app')