From 5ffe21f0212c59149ab9a53c34db1d847417a017 Mon Sep 17 00:00:00 2001
From: cw-sublime <courtney.w@sublimesecurity.com>
Date: Fri, 29 May 2026 14:40:09 -0400
Subject: [PATCH] Add condition for 'open document' in detection rule

---
 detection-rules/impersonation_adobe_suspicious_language_link.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/impersonation_adobe_suspicious_language_link.yml b/detection-rules/impersonation_adobe_suspicious_language_link.yml
index 2ed0132bc9d..f3ffb64efeb 100644
--- a/detection-rules/impersonation_adobe_suspicious_language_link.yml
+++ b/detection-rules/impersonation_adobe_suspicious_language_link.yml
@@ -35,6 +35,7 @@ source: |
         or strings.icontains(body.current_thread.text, 'access file')
         or strings.icontains(body.current_thread.text, 'pending document')
         or any(body.links, strings.ilike(.display_text, 'review and sign'))
+        or any(body.links, strings.ilike(.display_text, 'open document'))
       )
       and length(body.current_thread.text) < 2000
     )