Russia return-path TLD (untrusted sender)

calendar Feb 23, 2024 · Attack surface reduction  ·
Share on: linkedin copy

The return-path header is a .ru TLD from an untrusted sender.

Sublime rule (View on GitHub)

 1name: "Russia return-path TLD (untrusted sender)"
 2description: |
 3    The return-path header is a .ru TLD from an untrusted sender.
 4type: "rule"
 5severity: "low"
 6source: |
 7  type.inbound
 8  and headers.return_path.domain.tld == "ru"
 9  and sender.email.domain.root_domain != "corp.mail.ru"
10  and sender.email.domain.root_domain != "calendar.yandex.ru"
11  and (
12    (
13        profile.by_sender().prevalence in ("new", "outlier")
14        and not profile.by_sender().solicited
15    )
16    or (
17      profile.by_sender().any_messages_malicious_or_spam
18      and not profile.by_sender().any_false_positives
19    )
20  )
21  and not profile.by_sender().any_false_positives  
22
23tags:
24  - "Attack surface reduction"
25attack_types:
26  - "BEC/Fraud"
27  - "Credential Phishing"
28  - "Malware/Ransomware"
29detection_methods:
30  - "Header analysis"
31  - "Sender analysis"
32id: "588b3954-c03a-57fb-b5a4-abf993a8c003"

Related rules

to-top