[Test Rules] [PR sublime-security#4285] added rule: Self-sender with email and display name in subject

Author: github-actions[bot]

detection-rules/4285_self_sender_display_name_email_in_subject.yml

@@ -0,0 +1,37 @@
+name: "Self-sender with email and display name in subject"
+description: "Detects messages where the sender emails themselves with both their email address and display name present in the subject line, while the email address differs from the display name. This pattern is commonly used in social engineering attacks to create false legitimacy or test delivery mechanisms."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // self sender
+  and (
+    length(recipients.to) == 1
+    and length(recipients.cc) == 0
+    and sender.email.email == recipients.to[0].email.email
+  )
+  and strings.contains(subject.subject, sender.email.email)
+  and strings.contains(subject.subject, sender.display_name)
+  and sender.email.email != sender.display_name
+  // negating listservs
+  and not (
+    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
+    and (
+      strings.contains(sender.display_name, "via")
+      or strings.icontains(subject.subject, "monitor")
+    )
+  )
+attack_types:
+  - "BEC/Fraud"
+  - "Spam"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Spoofing"
+detection_methods:
+  - "Header analysis"
+  - "Sender analysis"
+  - "Content analysis"
+id: "5b485f71-0d35-5d31-9193-dc4e85ff557f"
+og_id: "f51a5025-71f6-5626-a292-3e75dda0a1e7"
+testing_pr: 4285
+testing_sha: 504f9e99003634db003cd9526e2e9cd49381e024