Headers: X-Source-Auth mismatch with mismatched reply-to domain

 1name: "Headers: X-Source-Auth mismatch with mismatched reply-to domain"
 2description: "Detects messages where the X-Source-Auth header value doesn't match the sender's email address and the reply-to domain differs from the sender's domain, indicating potential sender spoofing or impersonation."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // X-Source-Auth doesn't match sender
 8  and any(headers.hops,
 9          any(.fields,
10              .name == 'X-Source-Auth'
11              and .value != sender.email.email
12              and strings.parse_email(.value).email is not null
13          )
14  )
15  // mismatched sender (from) and Reply-to
16  and length(headers.reply_to) > 0
17  and all(headers.reply_to,
18          .email.domain.root_domain != sender.email.domain.root_domain
19  )
20  and length(ml.nlu_classifier(body.current_thread.text).intents) > 0
21  and not any(ml.nlu_classifier(body.current_thread.text).intents,
22              .name == 'benign' and .confidence != 'low'
23  )  
24tags:
25 - "Attack surface reduction"
26attack_types:
27  - "BEC/Fraud"
28tactics_and_techniques:
29  - "Social engineering"
30  - "Spoofing"
31detection_methods:
32  - "Content analysis"
33  - "Header analysis"
34  - "Natural Language Understanding"
35  - "Sender analysis"
36id: "f56e8b29-30a4-51bc-a71f-244f10bf7452"