diff --git a/detection-rules/headers_recipient_sld_matches_mailer.yml b/detection-rules/headers_recipient_sld_matches_mailer.yml
new file mode 100644
index 00000000000..9bb86fe6a0b
--- /dev/null
+++ b/detection-rules/headers_recipient_sld_matches_mailer.yml
@@ -0,0 +1,13 @@
+name: "Headers: Recipient SLD matches X-mailer"
+description: "This rule flags messages where the recipients Single Level Domain (SLD) is an exact match of the X-mailer value. This has been observed in Credential Phishing campaigns. \n"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound and any(recipients.to, .email.domain.sld == headers.mailer)
+attack_types:
+  - "Credential Phishing"
+detection_methods:
+  - "Header analysis"
+id: "0eca4648-0e8a-5602-8e7b-d2233c983a33"
+testing_pr: 669
+testing_sha: 7dda1aa68e412d27faecf2cf2c7851146fb11ea4