sublimelowRule

Headers: risky-recover-production message ID

Detects messages containing 'risky-recover-production' in the message ID header, which may indicate suspicious or malicious activity.

MITRE ATT&CK

T1566 T1036 T1027

defense-evasion

Detection Query

type.inbound
and strings.icontains(headers.message_id, 'risky-recover-production')

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Headers: risky-recover-production message ID"
description: "Detects messages containing 'risky-recover-production' in the message ID header, which may indicate suspicious or malicious activity."
type: "rule"
severity: "low"
source: |
  type.inbound
  and strings.icontains(headers.message_id, 'risky-recover-production')

attack_types:
  - "Spam"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "Header analysis"
id: "4cc0b5dc-8071-5746-9a9d-4838846ae044"