New Rule: Reply-to/Sender Mismatch with suspicious TLD

detection-rules/headers_replyto_mismatch_sus_tld.yml

@@ -0,0 +1,22 @@
+name: "Reply-to/Sender Mismatch with suspicious TLD"
+description: |
+  This rule detects a mismatch between the reply-to and the sender email addresses, and one or both of them are from suspicious TLDs
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    any(headers.reply_to,
+        .email.email != sender.email.email
+        and .email.domain.domain != sender.email.domain.domain
+        and not strings.icontains(sender.display_name, "marketing")
+        and any([.email.domain.tld, sender.email.domain.tld], . in $suspicious_tlds)
+    )
+  )
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+
+id: "a5f5b25a-0b7d-5ecc-8cf8-295a8433bad1"