← Back to Explore
sublimelowRule
Suspicious mailer received from Gmail servers
Mailer is atypical of sends from Gmail infrastructure. Observed sending callback phishing and general spam.
Detection Query
type.inbound
and (
strings.ilike(headers.mailer,
"Microsoft CDO for Windows 2000",
"PHPMailer*",
"nodemailer*"
)
or any(headers.hops, any(.fields, .value == "Produced By Microsoft MimeOLE"))
)
and (
any(headers.hops, .index == 0 and .received.server.raw == "smtp.gmail.com")
or headers.return_path.domain.root_domain in ("gmail.com", "googlemail.com")
)
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Suspicious mailer received from Gmail servers"
description: "Mailer is atypical of sends from Gmail infrastructure. Observed sending callback phishing and general spam."
type: "rule"
severity: "low"
source: |
type.inbound
and (
strings.ilike(headers.mailer,
"Microsoft CDO for Windows 2000",
"PHPMailer*",
"nodemailer*"
)
or any(headers.hops, any(.fields, .value == "Produced By Microsoft MimeOLE"))
)
and (
any(headers.hops, .index == 0 and .received.server.raw == "smtp.gmail.com")
or headers.return_path.domain.root_domain in ("gmail.com", "googlemail.com")
)
and not profile.by_sender().any_messages_benign
tags:
- "Attack surface reduction"
attack_types:
- "Callback Phishing"
- "Spam"
tactics_and_techniques:
- "Free email provider"
- "Social engineering"
detection_methods:
- "Header analysis"
id: "f05f04ee-1234-5a28-98d9-54510c62e1f6"