Headers: Zimbra mailer from a non-supported OS version

calendar Aug 9, 2023  ยท
Share on: linkedin copy

Detects Zimbra originated emails sent from non-supported Windows versions. Observed in widespread HTML credential phishing campaigns.

Sublime rule (View on GitHub)

 1name: "Headers: Zimbra mailer from a non-supported OS version"
 2description: |
 3  Detects Zimbra originated emails sent from non-supported Windows versions. 
 4  Observed in widespread HTML credential phishing campaigns.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  and strings.starts_with(headers.mailer, "Zimbra")
10  and regex.icontains(headers.mailer, '\b(5\.1|6\.1)\.\d{4}\b')  
11detection_methods:
12  - "Header analysis"
13id: "d23e694f-a23d-5730-9a04-29629f2e6696"
to-top