Headers: Zimbra mailer from a non-supported OS version
Detects Zimbra originated emails sent from non-supported Windows versions. Observed in widespread HTML credential phishing campaigns.
Sublime rule (View on GitHub)
1name: "Headers: Zimbra mailer from a non-supported OS version"
2description: |
3 Detects Zimbra originated emails sent from non-supported Windows versions.
4 Observed in widespread HTML credential phishing campaigns.
5type: "rule"
6severity: "medium"
7source: |
8 type.inbound
9 and strings.starts_with(headers.mailer, "Zimbra")
10 and regex.icontains(headers.mailer, '\b(5\.1|6\.1)\.\d{4}\b')
11detection_methods:
12 - "Header analysis"
13id: "d23e694f-a23d-5730-9a04-29629f2e6696"