Suspicious mailer received from Gmail servers

calendar Jun 12, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Mailer is atypical of sends from Gmail infrastructure. Observed sending callback phishing and general spam.

Sublime rule (View on GitHub)

 1name: "Suspicious mailer received from Gmail servers"
 2description: "Mailer is atypical of sends from Gmail infrastructure. Observed sending callback phishing and general spam."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and (
 8    strings.ilike(headers.mailer,
 9                  "Microsoft CDO for Windows 2000",
10                  "PHPMailer*",
11                  "nodemailer*"
12    )
13    or any(headers.hops, any(.fields, .value == "Produced By Microsoft MimeOLE"))
14  )
15  and (
16    any(headers.hops, .index == 0 and .received.server.raw == "smtp.gmail.com")
17    or headers.return_path.domain.root_domain in ("gmail.com", "googlemail.com")
18  )
19  and not profile.by_sender().any_false_positives  
20tags:
21 - "Attack surface reduction"
22attack_types:
23  - "Callback Phishing"
24  - "Spam"
25tactics_and_techniques:
26  - "Free email provider"
27  - "Social engineering"
28detection_methods:
29  - "Header analysis"
30id: "f05f04ee-1234-5a28-98d9-54510c62e1f6"

Related rules

to-top