From a05b81a70b845ac3630bb48eeaa5275ac188f5d2 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Fri, 8 Sep 2023 03:49:10 +0000
Subject: [PATCH] Sync from PR#782

New Rule: Reply-to/Sender Mismatch with suspicious TLD by @morriscode
https://github.com/sublime-security/sublime-rules/pull/782
Source SHA 6cb6d80dadb1c649790026ac7a291629fb539604
Triggered by @morriscode
---
 .../headers_replyto_mismatch_sus_tld.yml      | 95 +++++++++++++++++++
 1 file changed, 95 insertions(+)
 create mode 100644 detection-rules/headers_replyto_mismatch_sus_tld.yml

diff --git a/detection-rules/headers_replyto_mismatch_sus_tld.yml b/detection-rules/headers_replyto_mismatch_sus_tld.yml
new file mode 100644
index 00000000000..85e5a5d2684
--- /dev/null
+++ b/detection-rules/headers_replyto_mismatch_sus_tld.yml
@@ -0,0 +1,95 @@
+name: "Reply-to/Sender Mismatch with suspicious TLD"
+description: |
+  This rule detects a mismatch between the reply-to and the sender email addresses, and one or both of them are from suspicious TLDs
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    any(headers.reply_to,
+        .email.email != sender.email.email
+        and any([.email.domain.tld, sender.email.domain.tld],
+
+                // https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/spam-tlds-ublock.txt
+                . in (
+                  "ae",
+                  "agency",
+                  "asia",
+                  "autos",
+                  "bar",
+                  "beauty",
+                  "bid",
+                  "bio",
+                  "biz",
+                  "boats",
+                  "boston",
+                  "boutique",
+                  "buzz",
+                  "cf",
+                  "cfd",
+                  "cn",
+                  "cyou",
+                  "dad",
+                  "dance",
+                  "degree",
+                  "discount",
+                  "esq",
+                  "fit",
+                  "foo",
+                  "fun",
+                  "fyi",
+                  "gdn",
+                  "gq",
+                  "guru",
+                  "hair",
+                  "haus",
+                  "in",
+                  "jp",
+                  "live",
+                  "loan",
+                  "loans",
+                  "makeup",
+                  "market",
+                  "ml",
+                  "mom",
+                  "monster",
+                  "mov",
+                  "name",
+                  "nexus",
+                  "okinawa",
+                  "ooo",
+                  "phd",
+                  "prof",
+                  "pw",
+                  "quest",
+                  "rest",
+                  "review",
+                  "ru",
+                  "sbs",
+                  "skin",
+                  "space",
+                  "surf",
+                  "tk",
+                  "tokyo",
+                  "top",
+                  "uno",
+                  "voto",
+                  "website",
+                  "wiki",
+                  "work",
+                  "wtf",
+                  "xyz",
+                  "zip",
+                  "zone"
+                )
+        )
+    )
+  )
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+id: "a5f5b25a-0b7d-5ecc-8cf8-295a8433bad1"
+testing_pr: 782
+testing_sha: 6cb6d80dadb1c649790026ac7a291629fb539604