Skip to content

Commit

Permalink
Sync from PR#932
Browse files Browse the repository at this point in the history 
TEST - Update headers_russia_return_path.yml by @morriscode
#932
Source SHA 779a368
Triggered by @morriscode
  • Loading branch information
Sublime Rule Testing Bot committed Nov 7, 2023
1 parent 864a378 commit e226e3f
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions detection-rules/headers_russia_return_path.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: "Russia return-path TLD (first-time sender)"
description: |
The return-path header is a .ru TLD and first-time sender.
type: "rule"
severity: "low"
source: |
type.inbound
and headers.return_path.domain.tld == "ru"
and sender.email.email not in $recipient_emails
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
- "Malware/Ransomware"
detection_methods:
- "Header analysis"
- "Sender analysis"
id: "588b3954-c03a-57fb-b5a4-abf993a8c003"
testing_pr: 932
testing_sha: 779a368e54da93bb7625d163243f2d5d0c100308

0 comments on commit e226e3f

Please sign in to comment.