Suspicious mailer received from Gmail servers

calendar Oct 8, 2024 · Attack surface reduction  ·
Share on: linkedin copy

Mailer is atypical of sends from Gmail infrastructure. Observed sending callback phishing and general spam.

Sublime rule (View on GitHub)

 1name: "Suspicious mailer received from Gmail servers"
 2description: "Mailer is atypical of sends from Gmail infrastructure. Observed sending callback phishing and general spam."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and (
 8    strings.ilike(headers.mailer,
 9                  "Microsoft CDO for Windows 2000",
10                  "PHPMailer*",
11                  "nodemailer*"
12    )
13    or any(headers.hops, any(.fields, .value == "Produced By Microsoft MimeOLE"))
14  )
15  and any(headers.hops, .index == 0 and .received.server.raw == "smtp.gmail.com")
16  and not profile.by_sender().any_false_positives  
17tags:
18 - "Attack surface reduction"
19attack_types:
20  - "Callback Phishing"
21  - "Spam"
22tactics_and_techniques:
23  - "Free email provider"
24  - "Social engineering"
25detection_methods:
26  - "Header analysis"
27id: "f05f04ee-1234-5a28-98d9-54510c62e1f6"

Related rules

to-top