From 731688b77db6139f7536feaffca882c6b721e32a Mon Sep 17 00:00:00 2001
From: cw-sublime <courtney.w@sublimesecurity.com>
Date: Wed, 27 May 2026 17:34:57 -0400
Subject: [PATCH] Modify length check and fix Geek Squad formatting

---
 detection-rules/callback_phishing_nlu_body_or_attachments.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
index 9cba722b51d..5da4d3cd8fc 100644
--- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml
+++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
@@ -49,12 +49,12 @@ source: |
         (
           270 < length(body.current_thread.text) < 1750
           or (
-            75 < length(body.current_thread.text) < 1750
+            75 < length(body.current_thread.text) < 2000
             and (
               strings.ilike(body.current_thread.text,
                             "*PayPal*",
                             "*Norton*",
-                            "*GeekSquad*",
+                            "*Geek Squad*",
                             "*Ebay*",
                             "*McAfee*",
                             "*=1"