Headers: iOS/iPadOS mailer with invalid build number

Detects emails claiming to be sent from an iOS or iPadOS device that contain an invalid build number.

Sublime rule (View on GitHub)

 1name: "Headers: iOS/iPadOS mailer with invalid build number"
 2description: |
 3    Detects emails claiming to be sent from an iOS or iPadOS device that contain an invalid build number.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and regex.contains(headers.mailer, '(iPad|iPhone) Mail')
 9  and not regex.contains(headers.mailer, '(iPad|iPhone) Mail \([0-9]{2}')  
10attack_types:
11  - "BEC/Fraud"
12  - "Credential Phishing"
13  - "Malware/Ransomware"
14tactics_and_techniques:
15  - "Evasion"
16detection_methods:
17  - "Header analysis"
18id: "e0b74072-3210-5511-9ad9-2c945ab28abb"
to-top