From c05b52f5abb618509102c31f0ec0a966e98da081 Mon Sep 17 00:00:00 2001
From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com>
Date: Fri, 7 Nov 2025 15:23:03 -0500
Subject: [PATCH] LWescott updating brand_impersonation_google_careers to
 exclude the sublime domain from the sender exclusion

---
 detection-rules/brand_impersonation_google_careers.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/brand_impersonation_google_careers.yml b/detection-rules/brand_impersonation_google_careers.yml
index 4d186276450..79deca6c6f5 100644
--- a/detection-rules/brand_impersonation_google_careers.yml
+++ b/detection-rules/brand_impersonation_google_careers.yml
@@ -37,7 +37,7 @@ source: |
   )
   and not any(body.links, .href_url.domain.root_domain in ("google.com", "c.gle"))
   and not (
-    sender.email.domain.root_domain in ("google.com")
+    sender.email.domain.root_domain in ("google.com", "sublimesecurity.com")
     and headers.auth_summary.dmarc.pass
   )
 attack_types: