Skip to content

Commit

Permalink
Sync from PR#782
Browse files Browse the repository at this point in the history 
New Rule: Reply-to/Sender Mismatch with suspicious TLD by @morriscode
#782
Source SHA 9611a3e
Triggered by @morriscode
  • Loading branch information
Sublime Rule Testing Bot committed Oct 3, 2023
1 parent fe4974b commit b18bdc9
Showing 1 changed file with 4 additions and 76 deletions.
80 changes: 4 additions & 76 deletions detection-rules/headers_replyto_mismatch_sus_tld.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,81 +8,9 @@ source: |
and (
any(headers.reply_to,
.email.email != sender.email.email
and any([.email.domain.tld, sender.email.domain.tld],
// https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/spam-tlds-ublock.txt
. in (
"ae",
"agency",
"asia",
"autos",
"bar",
"beauty",
"bid",
"bio",
"biz",
"boats",
"boston",
"boutique",
"buzz",
"cf",
"cfd",
"cn",
"cyou",
"dad",
"dance",
"degree",
"discount",
"esq",
"fit",
"foo",
"fun",
"fyi",
"gdn",
"gq",
"guru",
"hair",
"haus",
"in",
"jp",
"live",
"loan",
"loans",
"makeup",
"market",
"ml",
"mom",
"monster",
"mov",
"name",
"nexus",
"okinawa",
"ooo",
"phd",
"prof",
"pw",
"quest",
"rest",
"review",
"ru",
"sbs",
"skin",
"space",
"surf",
"tk",
"tokyo",
"top",
"uno",
"voto",
"website",
"wiki",
"work",
"wtf",
"xyz",
"zip",
"zone"
)
)
and .email.domain.domain != sender.email.domain.domain
and not strings.icontains(sender.display_name, "marketing")
and any([.email.domain.tld, sender.email.domain.tld], . in $suspicious_tlds)
)
)
tactics_and_techniques:
Expand All @@ -92,4 +20,4 @@ detection_methods:
- "Sender analysis"
id: "a5f5b25a-0b7d-5ecc-8cf8-295a8433bad1"
testing_pr: 782
testing_sha: 6cb6d80dadb1c649790026ac7a291629fb539604
testing_sha: 9611a3e517c280c98beea720aa4b32c536232478

0 comments on commit b18bdc9

Please sign in to comment.