From 126a59ed30096ff804c11c464011ae228bb744c6 Mon Sep 17 00:00:00 2001
From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
Date: Fri, 31 Oct 2025 16:51:50 -0700
Subject: [PATCH] Update predatory_academic_journal.yml for quarantine logic

Refactor logic to negate Microsoft quarantine messages with additional conditions.
---
 .../predatory_academic_journal.yml            | 21 ++++++++++++-------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/detection-rules/predatory_academic_journal.yml b/detection-rules/predatory_academic_journal.yml
index d109a148be8..eb8bfaa83aa 100644
--- a/detection-rules/predatory_academic_journal.yml
+++ b/detection-rules/predatory_academic_journal.yml
@@ -143,15 +143,20 @@ source: |
   
   // negate microsoft quarantine messages
   and not (
-    any(body.links,
-        (
-          strings.icontains(.display_text, "Review Message")
-          or strings.icontains(.display_text, "Passer en revue le message")
-        )
-        and (
-          .href_url.domain.domain == "security.microsoft.com"
-          and .href_url.path == "/quarantine"
+    sender.email.email == "quarantine@messaging.microsoft.com"
+    and (
+      headers.auth_summary.dmarc.pass
+      // no sender auth but MS AuthAs is Internal
+      or (
+        not coalesce(headers.auth_summary.dmarc.pass, false)
+        and any(headers.hops,
+                .index == 0
+                and any(.fields,
+                        .name == "X-MS-Exchange-CrossTenant-AuthAs"
+                        and .value == "Internal"
+                )
         )
+      )
     )
   )