Detection rules › Sublime MQL
Russia return-path TLD (untrusted sender)
The return-path header is a .ru TLD from an untrusted sender.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud, Credential Phishing, Malware/Ransomware |
Event coverage
| Message attribute |
|---|
| headers.return_path |
| sender.email |
| type |
Rule body MQL
type.inbound
and headers.return_path.domain.tld == "ru"
and sender.email.domain.domain != "corp.mail.ru"
and sender.email.domain.domain != "calendar.yandex.ru"
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Detection logic
Scope: inbound message.
The return-path header is a .ru TLD from an untrusted sender.
- inbound message
- headers.return_path.domain.tld is 'ru'
- sender.email.domain.domain is not 'corp.mail.ru'
- sender.email.domain.domain is not 'calendar.yandex.ru'
any of:
all of:
- profile.by_sender().prevalence in ('new', 'outlier')
not:
- profile.by_sender().solicited
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
not:
- profile.by_sender().any_messages_benign
Inspects: headers.return_path.domain.tld, sender.email.domain.domain, type.inbound. Sensors: profile.by_sender.
Indicators matched (1)
| Field | Match | Value |
|---|---|---|
headers.return_path.domain.tld | equals | ru |