From 121fb68bf0a3b0a0f035223d91ef57ae3c4c3cf3 Mon Sep 17 00:00:00 2001
From: Mark Morris <mark.m@sublimesecurity.com>
Date: Thu, 21 May 2026 10:20:31 -0400
Subject: [PATCH] Update brand_impersonation_irs.yml

---
 detection-rules/brand_impersonation_irs.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/detection-rules/brand_impersonation_irs.yml b/detection-rules/brand_impersonation_irs.yml
index 2e6bdb9a123..0dcdcfe9739 100644
--- a/detection-rules/brand_impersonation_irs.yml
+++ b/detection-rules/brand_impersonation_irs.yml
@@ -22,6 +22,10 @@ source: |
               .name == "Government Services" and .confidence != "low"
       )
     )
+    or any(ml.nlu_classifier(body.current_thread.text).entities,
+           .name == "sender" and regex.imatch(.text, 'I.?R.?S')
+           or strings.contains(.text, "Internal Revenue Service")
+    )
   )
   and (
     (