Headers: risky-recover-production message ID

calendar Feb 26, 2026  ยท
Share on: linkedin copy

Detects messages containing 'risky-recover-production' in the message ID header, which may indicate suspicious or malicious activity.

Sublime rule (View on GitHub)

 1name: "Headers: risky-recover-production message ID"
 2description: "Detects messages containing 'risky-recover-production' in the message ID header, which may indicate suspicious or malicious activity."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and strings.icontains(headers.message_id, 'risky-recover-production')  
 8
 9attack_types:
10  - "Spam"
11tactics_and_techniques:
12  - "Evasion"
13detection_methods:
14  - "Header analysis"
15id: "4cc0b5dc-8071-5746-9a9d-4838846ae044"
to-top