From cc3dce61d76d8536799ba881a94e8a02a4ab48d9 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Thu, 22 Dec 2022 14:25:50 +0100
Subject: [PATCH] fix: apply suggestions from code review

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
---
 rules/proxy/proxy_exchange_owassrf_exploitation.yml | 2 +-
 rules/web/web_exchange_owassrf_exploitation.yml     | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/proxy/proxy_exchange_owassrf_exploitation.yml b/rules/proxy/proxy_exchange_owassrf_exploitation.yml
index d421eee17..30760d4ad 100644
--- a/rules/proxy/proxy_exchange_owassrf_exploitation.yml
+++ b/rules/proxy/proxy_exchange_owassrf_exploitation.yml
@@ -17,7 +17,7 @@ detection:
         # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com
         cs-method: 'POST'
         c-uri|contains|all:
-            - '/owa/mastermailbox'
+            - '/owa/'
             - '/powershell'
     condition: selection
 falsepositives:
diff --git a/rules/web/web_exchange_owassrf_exploitation.yml b/rules/web/web_exchange_owassrf_exploitation.yml
index b72bb9181..0d71e438c 100644
--- a/rules/web/web_exchange_owassrf_exploitation.yml
+++ b/rules/web/web_exchange_owassrf_exploitation.yml
@@ -17,7 +17,8 @@ detection:
         # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com
         cs-method: 'POST'
         c-uri|contains|all:
-            - '/owa/mastermailbox'
+            - '/owa/'
+            - `@`
             - '/powershell'
     condition: selection
 falsepositives: