Skip to content

Commit

Permalink
Sync from PR#669
Browse files Browse the repository at this point in the history 
New Rule: Headers: Recipient SLD match X-mailer by @morriscode
#669
Source SHA 7dda1aa
Triggered by @morriscode
  • Loading branch information
Sublime Rule Testing Bot committed Aug 17, 2023
1 parent 1ebf8cb commit 0e1410a
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions detection-rules/headers_recipient_sld_matches_mailer.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: "Headers: Recipient SLD matches X-mailer"
description: "This rule flags messages where the recipients Single Level Domain (SLD) is an exact match of the X-mailer value. This has been observed in Credential Phishing campaigns. \n"
type: "rule"
severity: "medium"
source: |
type.inbound and any(recipients.to, .email.domain.sld == headers.mailer)
attack_types:
- "Credential Phishing"
detection_methods:
- "Header analysis"
id: "0eca4648-0e8a-5602-8e7b-d2233c983a33"
testing_pr: 669
testing_sha: 7dda1aa68e412d27faecf2cf2c7851146fb11ea4

0 comments on commit 0e1410a

Please sign in to comment.