Headers: iOS/iPadOS mailer with invalid build number
Detects emails claiming to be sent from an iOS or iPadOS device that contain an invalid build number.
Sublime rule (View on GitHub)
1name: "Headers: iOS/iPadOS mailer with invalid build number"
2description: |
3 Detects emails claiming to be sent from an iOS or iPadOS device that contain an invalid build number.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and regex.contains(headers.mailer, '(iPad|iPhone) Mail')
9 and not regex.contains(headers.mailer, '(iPad|iPhone) Mail \([0-9]{2}')
10attack_types:
11 - "BEC/Fraud"
12 - "Credential Phishing"
13 - "Malware/Ransomware"
14tactics_and_techniques:
15 - "Evasion"
16detection_methods:
17 - "Header analysis"
18id: "e0b74072-3210-5511-9ad9-2c945ab28abb"