← Back to Explore
sublimelowRule
Russia return-path TLD (untrusted sender)
The return-path header is a .ru TLD from an untrusted sender.
Detection Query
type.inbound
and headers.return_path.domain.tld == "ru"
and sender.email.domain.domain != "corp.mail.ru"
and sender.email.domain.domain != "calendar.yandex.ru"
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Russia return-path TLD (untrusted sender)"
description: |
The return-path header is a .ru TLD from an untrusted sender.
type: "rule"
severity: "low"
source: |
type.inbound
and headers.return_path.domain.tld == "ru"
and sender.email.domain.domain != "corp.mail.ru"
and sender.email.domain.domain != "calendar.yandex.ru"
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
tags:
- "Attack surface reduction"
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
- "Malware/Ransomware"
detection_methods:
- "Header analysis"
- "Sender analysis"
id: "588b3954-c03a-57fb-b5a4-abf993a8c003"