Sync from PR#2144

Create impersonation_schwab.yml by @morriscode
#2144
Source SHA 95b2c74
Triggered by @zoomequipd

detection-rules/impersonation_schwab.yml

@@ -29,23 +29,30 @@ source: |
   and not (
     sender.email.domain.root_domain in $org_domains
     or (
-      sender.email.domain.root_domain in (
-        "schwab.com",
-        "aboutschwab.com.",
-        "schwabmoneywise.com"
+      (
+        sender.email.domain.root_domain in (
+          "schwab.com",
+          "aboutschwab.com.",
+          "schwabmoneywise.com",
+          "schwabe.com", // law firm with name
+          "proxyvote.com", // sends shareholder voting information with subject of company name
+          "boheme-schwabing.de", // steakhouse
+          "lesschwab.com", // tire sales
+       )
+        or sender.email.domain.domain in ("schwabebooks.ccsend.com")
       )
       and headers.auth_summary.dmarc.pass
     )
   )
-    // and the sender is not from high trust sender root domains
-    and (
-      (
-        sender.email.domain.root_domain in $high_trust_sender_root_domains
-        and not headers.auth_summary.dmarc.pass
-      )
-      or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  // and the sender is not from high trust sender root domains
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
     )
-    and not profile.by_sender().solicited
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  and not profile.by_sender().solicited
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
@@ -57,4 +64,4 @@ detection_methods:
   - "Sender analysis"
 id: "7abde595-bd69-5b79-8031-2c5a12b1767e"
 testing_pr: 2144
-testing_sha: de40d455580091824df1a9daf051dbfa2584ca0d
+testing_sha: 95b2c74fea4a1f80239cc68b5ca346887d645755