From 04b52561b0cf2545e40e7a87c330cd2c088063ac Mon Sep 17 00:00:00 2001
From: heraklit256 <37872459+heraklit256@users.noreply.github.com#>
Date: Sun, 9 Sep 2018 18:21:12 +0200
Subject: [PATCH] improve composite rules for phish messages

---
 conf/composites.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/conf/composites.conf b/conf/composites.conf
index 24f198aac..12f445990 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -68,7 +68,7 @@ composites {
         expression = "MAILER_1C_8 & (FROM_EXCESS_BASE64 | MIME_BASE64_TEXT | SUBJ_EXCESS_BASE64 | TO_EXCESS_BASE64)";
     }
     HACKED_WP_PHISHING {
-        expression = "HAS_X_POS & HAS_WP_URI & PHISHING";
+        expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK)";
         description = "Phish message sent by hacked Wordpress instance";
         policy = "leave";
     }
@@ -105,7 +105,7 @@ composites {
         score = 1.0;
     }
     PHISH_EMOTION {
-        expression = "(HACKED_WP_PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
+        expression = "(PHISHING | DBL_PHISH | PHISHED_OPENPHISH | PHISHED_PHISHTANK) & (SUBJECT_ENDS_QUESTION | SUBJECT_ENDS_EXCLAIM)";
         description = "Phish message with subject trying to address users emotion";
         score = 2.0;
     }
-- 
2.39.5