[Test Rules] [PR #4386] added rule: Attachment: TAR file with RAR type and SPF failure

Author: github-actions[bot]

detection-rules/4386_attachment_tar_with_rar_type_spf_fail.yml

@@ -0,0 +1,22 @@
+name: "Attachment: TAR file with RAR type and SPF failure"
+description: "Detects messages with TAR file extensions that are actually RAR file types, combined with SPF authentication failure. This mismatch between file extension and actual file type may indicate an evasion technique."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and not headers.auth_summary.spf.pass
+  and any(attachments, .file_extension =~ "tar" and .file_type =~ "rar")
+
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "44ad8426-9203-52e2-849b-7290bdd1f4b7"
+og_id: "364a0ea6-8011-5de2-b4c5-5eff8134037a"
+testing_pr: 4386
+testing_sha: a3ee1606a6185a01d44ff8ebc340468bbb5d1140