Russia return-path TLD (untrusted sender)

calendar Jan 12, 2026 · Attack surface reduction  ·
Share on: linkedin copy

The return-path header is a .ru TLD from an untrusted sender.

Sublime rule (View on GitHub)

 1name: "Russia return-path TLD (untrusted sender)"
 2description: |
 3    The return-path header is a .ru TLD from an untrusted sender.
 4type: "rule"
 5severity: "low"
 6source: |
 7  type.inbound
 8  and headers.return_path.domain.tld == "ru"
 9  and sender.email.domain.root_domain != "corp.mail.ru"
10  and sender.email.domain.root_domain != "calendar.yandex.ru"
11  and (
12    (
13      profile.by_sender().prevalence in ("new", "outlier")
14      and not profile.by_sender().solicited
15    )
16    or (
17      profile.by_sender().any_messages_malicious_or_spam
18      and not profile.by_sender().any_messages_benign
19    )
20  )
21  and not profile.by_sender().any_messages_benign  
22tags:
23  - "Attack surface reduction"
24attack_types:
25  - "BEC/Fraud"
26  - "Credential Phishing"
27  - "Malware/Ransomware"
28detection_methods:
29  - "Header analysis"
30  - "Sender analysis"
31id: "588b3954-c03a-57fb-b5a4-abf993a8c003"

Related rules

to-top