Russia return-path TLD (first-time sender)

The return-path header is a .ru TLD and first-time sender.

Sublime rule (View on GitHub)

 1name: "Russia return-path TLD (first-time sender)"
 2description: |
 3    The return-path header is a .ru TLD and first-time sender.
 4type: "rule"
 5severity: "low"
 6source: |
 7  type.inbound
 8  and headers.return_path.domain.tld == "ru"
 9  and sender.email.email not in $recipient_emails
10  and (
11    (
12      sender.email.domain.root_domain in $free_email_providers
13      and sender.email.email not in $sender_emails
14    )
15    or (
16      sender.email.domain.root_domain not in $free_email_providers
17      and sender.email.domain.domain not in $sender_domains
18    )
19  )  
20attack_types:
21  - "BEC/Fraud"
22  - "Credential Phishing"
23  - "Malware/Ransomware"
24detection_methods:
25  - "Header analysis"
26  - "Sender analysis"
27id: "588b3954-c03a-57fb-b5a4-abf993a8c003"
to-top