From 0e1410a12e4184075e17d4d873c18006ff663c6a Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Thu, 17 Aug 2023 20:28:31 +0000
Subject: [PATCH] Sync from PR#669

New Rule: Headers: Recipient SLD match X-mailer by @morriscode
https://github.com/sublime-security/sublime-rules/pull/669
Source SHA 7dda1aa68e412d27faecf2cf2c7851146fb11ea4
Triggered by @morriscode
---
 .../headers_recipient_sld_matches_mailer.yml        | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 detection-rules/headers_recipient_sld_matches_mailer.yml

diff --git a/detection-rules/headers_recipient_sld_matches_mailer.yml b/detection-rules/headers_recipient_sld_matches_mailer.yml
new file mode 100644
index 00000000000..9bb86fe6a0b
--- /dev/null
+++ b/detection-rules/headers_recipient_sld_matches_mailer.yml
@@ -0,0 +1,13 @@
+name: "Headers: Recipient SLD matches X-mailer"
+description: "This rule flags messages where the recipients Single Level Domain (SLD) is an exact match of the X-mailer value. This has been observed in Credential Phishing campaigns. \n"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound and any(recipients.to, .email.domain.sld == headers.mailer)
+attack_types:
+  - "Credential Phishing"
+detection_methods:
+  - "Header analysis"
+id: "0eca4648-0e8a-5602-8e7b-d2233c983a33"
+testing_pr: 669
+testing_sha: 7dda1aa68e412d27faecf2cf2c7851146fb11ea4