From d23c31d13aa018700d3e163ffc7d67407d4e8052 Mon Sep 17 00:00:00 2001
From: John Farina <john.f@sublimesecurity.com>
Date: Fri, 22 May 2026 16:18:11 -0400
Subject: [PATCH] Update brand_impersonation_procore.yml

---
 detection-rules/brand_impersonation_procore.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/detection-rules/brand_impersonation_procore.yml b/detection-rules/brand_impersonation_procore.yml
index c72ddccd95b..ab90273f694 100644
--- a/detection-rules/brand_impersonation_procore.yml
+++ b/detection-rules/brand_impersonation_procore.yml
@@ -14,7 +14,7 @@ source: |
     or (
       strings.iends_with(sender.display_name, 'via Procore')
       and any(body.current_thread.links,
-              .href_url.domain.root_domain == "blogspot.com"
+              .href_url.domain.root_domain in $free_subdomain_hosts
       )
     )
   )
@@ -22,7 +22,7 @@ source: |
     sender.email.domain.root_domain in ("procore.com", "procoretech.com")
     and coalesce(headers.auth_summary.dmarc.pass, false)
   )
-
+  
   // negating legit replies/forwards
   and not (
     (