Update susp_email_redirection_spoofing.yar

cod3nym · web-flow · commit c3758b208ffc · 2025-02-28T17:35:47.000+01:00
Avoid regex usage for efficiency
diff --git a/yara/susp_email_redirection_spoofing.yar b/yara/susp_email_redirection_spoofing.yar
@@ -12,9 +12,7 @@ rule SUSP_Email_Redirection_Spoofing_Feb25 {
       $sa1 = "Content-Transfer-Encoding:" ascii
       $sa2 = "Subject:" ascii
 
-      $s1 = /\.com%(20%){5,}=/ ascii
-      $s2 = /(20%){5,}=/ ascii
+      $x = ".com%20%20%20%20%20%" ascii
    condition:
       all of them
-      and #s2 > 5
 }
