Update Email_quota_limit_warning

Added $eml strings and condition. Set condition value higher for $body, requiring more string matches to avoid FP.

email/Email_quota_limit_warning

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or 
+    organization, as long as you use it under this license.
+*/
+
 rule Email_quota_limit_warning : mail
 {
   meta:
-		Author = "Tyler Linne @InfoSecTyler"
+		Author = "Tyler Linne <@InfoSecTyler>"
 		Description ="Rule to prevent against known email quota limit phishing campaign"
     
   strings:
+    $eml_01 = "From:" //Added eml context
+    $eml_02 = "To:"
+    $eml_03 = "Subject:"
     $subject1={ 44 65 61 72 20 [0-11] 20 41 63 63 6f 75 6e 74 20 55 73 65 72 73 } // Range allows for different company names to be accepted
     $hello1={ 44 65 61 72 20 [0-11] 20 41 63 63 6f 75 6e 74 20 55 73 65 72 73 }
     $body1="You have exceded" nocase
-    $body2={65 2d 6d 61 69 6c 20 61 63 63 6f 75 6e 74 20 6c 69 6d 69 74 20 71 75 6f 74 61 20 6f 66 [0-4] } //Range allows for different quota "upgrades"
+    $body2={65 2d 6d 61 69 6c 20 61 63 63 6f 75 6e 74 20 6c 69 6d 69 74 20 71 75 6f 74 61 20 6f 66 [0-4] } //Range allows for different quota "upgrade" sizes
     $body3="requested to expand it within 24 hours" nocase
     $body4="e-mail account will be disable from our database" nocase
     $body5="simply click with the complete information" nocase
@@ -16,5 +24,8 @@ rule Email_quota_limit_warning : mail
     $body7={54 68 61 6e 6b 20 79 6f 75 20 66 6f 72 20 75 73 69 6e 67 20 [0-11] 20 57 65 62 6d 61 69 6c } // Range allows for different company names to be accepted
 
   condition:
-    1 of ($subject*) and 1 of ($hello*) and 2 of ($body*) 
+    all of ($eml_*) and
+    1 of ($subject*) and 
+    1 of ($hello*) and 
+    4 of ($body*) 
 }