Russia return-path TLD (first-time sender)
The return-path header is a .ru TLD and first-time sender.
Sublime rule (View on GitHub)
1name: "Russia return-path TLD (first-time sender)"
2description: |
3 The return-path header is a .ru TLD and first-time sender.
4type: "rule"
5severity: "low"
6source: |
7 type.inbound
8 and headers.return_path.domain.tld == "ru"
9 and sender.email.email not in $recipient_emails
10 and (
11 (
12 sender.email.domain.root_domain in $free_email_providers
13 and sender.email.email not in $sender_emails
14 )
15 or (
16 sender.email.domain.root_domain not in $free_email_providers
17 and sender.email.domain.domain not in $sender_domains
18 )
19 )
20attack_types:
21 - "BEC/Fraud"
22 - "Credential Phishing"
23 - "Malware/Ransomware"
24detection_methods:
25 - "Header analysis"
26 - "Sender analysis"
27id: "588b3954-c03a-57fb-b5a4-abf993a8c003"