Skip to content

Commit a383909

Browse files
[Shared Samples] [PR #4497] added rule: PR# 4497 - Headers: X-Source-Auth mismatch with sender address
1 parent 84a0220 commit a383909

1 file changed

Lines changed: 31 additions & 0 deletions

File tree

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
name: "PR# 4497 - Headers: X-Source-Auth mismatch with sender address"
2+
description: "Detects messages where the X-Source-Auth header contains a different email address than the sender, indicating potential spoofing or mismatched authentication."
3+
type: "rule"
4+
severity: "medium"
5+
source: |
6+
type.inbound
7+
// X-Source-Auth doesn't match sender
8+
and any(headers.hops,
9+
any(.fields,
10+
.name == 'X-Source-Auth'
11+
and .value != sender.email.email
12+
and strings.parse_email(.value).email is not null
13+
)
14+
)
15+
tags:
16+
- "Attack surface reduction"
17+
- pr_author_D-Bolton
18+
- created_from_open_prs
19+
- rule_status_added
20+
attack_types:
21+
- "BEC/Fraud"
22+
- "Credential Phishing"
23+
tactics_and_techniques:
24+
- "Spoofing"
25+
- "Evasion"
26+
detection_methods:
27+
- "Header analysis"
28+
- "Sender analysis"
29+
id: "cc2ac8a8-db8b-5c20-a04c-427908ffd1e4"
30+
references:
31+
- https://github.com/sublime-security/sublime-rules/pull/4497

0 commit comments

Comments
 (0)